idnits 2.17.1 draft-ietf-jose-json-web-key-41.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 16, 2015) is 3381 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'ECMAScript' -- Possible downref: Non-RFC (?) normative reference: ref. 'ITU.X690.1994' ** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110) ** Downref: Normative reference to an Informational RFC: RFC 4949 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 6125 (Obsoleted by RFC 9525) ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259) -- Possible downref: Non-RFC (?) normative reference: ref. 'UNICODE' -- Obsolete informational reference (is this intentional?): RFC 3447 (Obsoleted by RFC 8017) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 5 errors (**), 0 flaws (~~), 1 warning (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 JOSE Working Group M. Jones 3 Internet-Draft Microsoft 4 Intended status: Standards Track January 16, 2015 5 Expires: July 20, 2015 7 JSON Web Key (JWK) 8 draft-ietf-jose-json-web-key-41 10 Abstract 12 A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data 13 structure that represents a cryptographic key. This specification 14 also defines a JSON Web Key Set (JWK Set) JSON data structure that 15 represents a set of JWKs. Cryptographic algorithms and identifiers 16 for use with this specification are described in the separate JSON 17 Web Algorithms (JWA) specification and IANA registries defined by 18 that specification. 20 Status of this Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on July 20, 2015. 37 Copyright Notice 39 Copyright (c) 2015 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 55 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4 56 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 3. Example JWK . . . . . . . . . . . . . . . . . . . . . . . . . 5 58 4. JSON Web Key (JWK) Format . . . . . . . . . . . . . . . . . . 5 59 4.1. "kty" (Key Type) Parameter . . . . . . . . . . . . . . . . 6 60 4.2. "use" (Public Key Use) Parameter . . . . . . . . . . . . . 6 61 4.3. "key_ops" (Key Operations) Parameter . . . . . . . . . . . 7 62 4.4. "alg" (Algorithm) Parameter . . . . . . . . . . . . . . . 8 63 4.5. "kid" (Key ID) Parameter . . . . . . . . . . . . . . . . . 8 64 4.6. "x5u" (X.509 URL) Parameter . . . . . . . . . . . . . . . 8 65 4.7. "x5c" (X.509 Certificate Chain) Parameter . . . . . . . . 9 66 4.8. "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter . . . 9 67 4.9. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) 68 Parameter . . . . . . . . . . . . . . . . . . . . . . . . 10 69 5. JSON Web Key Set (JWK Set) Format . . . . . . . . . . . . . . 10 70 5.1. "keys" Parameter . . . . . . . . . . . . . . . . . . . . . 11 71 6. String Comparison Rules . . . . . . . . . . . . . . . . . . . 11 72 7. Encrypted JWK and Encrypted JWK Set Formats . . . . . . . . . 11 73 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 74 8.1. JSON Web Key Parameters Registry . . . . . . . . . . . . . 13 75 8.1.1. Registration Template . . . . . . . . . . . . . . . . 13 76 8.1.2. Initial Registry Contents . . . . . . . . . . . . . . 14 77 8.2. JSON Web Key Use Registry . . . . . . . . . . . . . . . . 15 78 8.2.1. Registration Template . . . . . . . . . . . . . . . . 16 79 8.2.2. Initial Registry Contents . . . . . . . . . . . . . . 16 80 8.3. JSON Web Key Operations Registry . . . . . . . . . . . . . 16 81 8.3.1. Registration Template . . . . . . . . . . . . . . . . 17 82 8.3.2. Initial Registry Contents . . . . . . . . . . . . . . 17 83 8.4. JSON Web Key Set Parameters Registry . . . . . . . . . . . 18 84 8.4.1. Registration Template . . . . . . . . . . . . . . . . 18 85 8.4.2. Initial Registry Contents . . . . . . . . . . . . . . 19 86 8.5. Media Type Registration . . . . . . . . . . . . . . . . . 19 87 8.5.1. Registry Contents . . . . . . . . . . . . . . . . . . 19 88 9. Security Considerations . . . . . . . . . . . . . . . . . . . 20 89 9.1. Key Provenance and Trust . . . . . . . . . . . . . . . . . 20 90 9.2. Preventing Disclosure of Non-Public Key Information . . . 21 91 9.3. RSA Private Key Representations and Blinding . . . . . . . 21 92 9.4. Key Entropy and Random Values . . . . . . . . . . . . . . 22 93 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 94 10.1. Normative References . . . . . . . . . . . . . . . . . . . 22 95 10.2. Informative References . . . . . . . . . . . . . . . . . . 24 97 Appendix A. Example JSON Web Key Sets . . . . . . . . . . . . . . 25 98 A.1. Example Public Keys . . . . . . . . . . . . . . . . . . . 25 99 A.2. Example Private Keys . . . . . . . . . . . . . . . . . . . 25 100 A.3. Example Symmetric Keys . . . . . . . . . . . . . . . . . . 27 101 Appendix B. Example Use of "x5c" (X.509 Certificate Chain) 102 Parameter . . . . . . . . . . . . . . . . . . . . . . 27 103 Appendix C. Example Encrypted RSA Private Key . . . . . . . . . . 28 104 C.1. Plaintext RSA Private Key . . . . . . . . . . . . . . . . 29 105 C.2. JOSE Header . . . . . . . . . . . . . . . . . . . . . . . 32 106 C.3. Content Encryption Key (CEK) . . . . . . . . . . . . . . . 32 107 C.4. Key Derivation . . . . . . . . . . . . . . . . . . . . . . 33 108 C.5. Key Encryption . . . . . . . . . . . . . . . . . . . . . . 33 109 C.6. Initialization Vector . . . . . . . . . . . . . . . . . . 33 110 C.7. Additional Authenticated Data . . . . . . . . . . . . . . 34 111 C.8. Content Encryption . . . . . . . . . . . . . . . . . . . . 34 112 C.9. Complete Representation . . . . . . . . . . . . . . . . . 37 113 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 39 114 Appendix E. Document History . . . . . . . . . . . . . . . . . . 39 115 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 47 117 1. Introduction 119 A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) [RFC7159] 120 data structure that represents a cryptographic key. This 121 specification also defines a JSON Web Key Set (JWK Set) JSON data 122 structure that represents a set of JWKs. Cryptographic algorithms 123 and identifiers for use with this specification are described in the 124 separate JSON Web Algorithms (JWA) [JWA] specification and IANA 125 registries defined by that specification. 127 Goals for this specification do not include representing new kinds of 128 certificate chains, representing new kinds of certified keys, or 129 replacing X.509 certificates. 131 JWKs and JWK Sets are used in the JSON Web Signature (JWS) [JWS] and 132 JSON Web Encryption (JWE) [JWE] specifications. 134 Names defined by this specification are short because a core goal is 135 for the resulting representations to be compact. 137 1.1. Notational Conventions 139 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 140 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 141 "OPTIONAL" in this document are to be interpreted as described in Key 142 words for use in RFCs to Indicate Requirement Levels [RFC2119]. If 143 these words are used without being spelled in uppercase then they are 144 to be interpreted with their normal natural language meanings. 146 BASE64URL(OCTETS) denotes the base64url encoding of OCTETS, per 147 Section 2 of [JWS]. 149 UTF8(STRING) denotes the octets of the UTF-8 [RFC3629] representation 150 of STRING, where STRING is a sequence of zero or more Unicode 151 [UNICODE] characters. 153 ASCII(STRING) denotes the octets of the ASCII [RFC20] representation 154 of STRING, where STRING is a sequence of zero or more ASCII 155 characters. 157 The concatenation of two values A and B is denoted as A || B. 159 2. Terminology 161 These terms defined by the JSON Web Signature (JWS) [JWS] 162 specification are incorporated into this specification: "JSON Web 163 Signature (JWS)", "Base64url Encoding", "Collision-Resistant Name", 164 "Header Parameter", and "JOSE Header". 166 These terms defined by the JSON Web Encryption (JWE) [JWE] 167 specification are incorporated into this specification: "JSON Web 168 Encryption (JWE)", "Additional Authenticated Data (AAD)", "JWE 169 Authentication Tag", "JWE Ciphertext", "JWE Compact Serialization", 170 "JWE Encrypted Key", "JWE Initialization Vector", and "JWE Protected 171 Header". 173 These terms defined by the Internet Security Glossary, Version 2 174 [RFC4949] are incorporated into this specification: "Ciphertext", 175 "Digital Signature", "Message Authentication Code (MAC)", and 176 "Plaintext". 178 These terms are defined by this specification: 180 JSON Web Key (JWK) 181 A JSON object that represents a cryptographic key. The members of 182 the object represent properties of the key, including its value. 184 JSON Web Key Set (JWK Set) 185 A JSON object that represents a set of JWKs. The JSON object MUST 186 have a "keys" member, which is an array of JWKs. 188 3. Example JWK 190 This section provides an example of a JWK. The following example JWK 191 declares that the key is an Elliptic Curve [DSS] key, it is used with 192 the P-256 Elliptic Curve, and its x and y coordinates are the 193 base64url encoded values shown. A key identifier is also provided 194 for the key. 196 {"kty":"EC", 197 "crv":"P-256", 198 "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", 199 "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", 200 "kid":"Public key used in JWS A.3 example" 201 } 203 Additional example JWK values can be found in Appendix A. 205 4. JSON Web Key (JWK) Format 207 A JSON Web Key (JWK) is a JSON object that represents a cryptographic 208 key. The members of the object represent properties of the key, 209 including its value. This JSON object MAY contain white space and/or 210 line breaks before or after any JSON values or structural characters, 211 in accordance with Section 2 of RFC 7159 [RFC7159]. This document 212 defines the key parameters that are not algorithm specific, and thus 213 common to many keys. 215 In addition to the common parameters, each JWK will have members that 216 are key type-specific. These members represent the parameters of the 217 key. Section 6 of the JSON Web Algorithms (JWA) [JWA] specification 218 defines multiple kinds of cryptographic keys and their associated 219 members. 221 The member names within a JWK MUST be unique; JWK parsers MUST either 222 reject JWKs with duplicate member names or use a JSON parser that 223 returns only the lexically last duplicate member name, as specified 224 in Section 15.12 (The JSON Object) of ECMAScript 5.1 [ECMAScript]. 226 Additional members can be present in the JWK; if not understood by 227 implementations encountering them, they MUST be ignored. Member 228 names used for representing key parameters for different keys types 229 need not be distinct. Any new member name should either be 230 registered in the IANA JSON Web Key Parameters registry defined in 231 Section 8.1 or be a value that contains a Collision-Resistant Name. 233 4.1. "kty" (Key Type) Parameter 235 The "kty" (key type) member identifies the cryptographic algorithm 236 family used with the key, such as "RSA" or "EC". "kty" values should 237 either be registered in the IANA JSON Web Key Types registry defined 238 in [JWA] or be a value that contains a Collision-Resistant Name. The 239 "kty" value is a case-sensitive string. This member MUST be present 240 in a JWK. 242 A list of defined "kty" values can be found in the IANA JSON Web Key 243 Types registry defined in [JWA]; the initial contents of this 244 registry are the values defined in Section 6.1 of the JSON Web 245 Algorithms (JWA) [JWA] specification. 247 The key type definitions include specification of the members to be 248 used for those key types. Additional members used with "kty" values 249 can also be found in the IANA JSON Web Key Parameters registry 250 defined in Section 8.1. 252 4.2. "use" (Public Key Use) Parameter 254 The "use" (public key use) member identifies the intended use of the 255 public key. The "use" parameter is employed to indicate whether a 256 public key is used for encrypting data or verifying the signature on 257 data. 259 Values defined by this specification are: 261 o "sig" (signature) 262 o "enc" (encryption) 264 Other values MAY be used. The "use" value is a case-sensitive 265 string. Use of the "use" member is OPTIONAL, unless the application 266 requires its presence. 268 When a key is used to wrap another key and a Public Key Use 269 designation for the first key is desired, the "enc" (encryption) key 270 use value is used, since key wrapping is a kind of encryption. The 271 "enc" value is also be used for public keys used for key agreement 272 operations. 274 Additional Public Key Use values can be registered in the IANA JSON 275 Web Key Use registry defined in Section 8.2. Registering any 276 extension values used is highly recommended when this specification 277 is used in open environments, in which multiple organizations need to 278 have a common understanding of any extensions used. However, 279 unregistered extension values can be used in closed environments, in 280 which the producing and consuming organization will always be the 281 same. 283 4.3. "key_ops" (Key Operations) Parameter 285 The "key_ops" (key operations) member identifies the operation(s) 286 that the key is intended to be used for. The "key_ops" parameter is 287 intended for use cases in which public, private, or symmetric keys 288 may be present. 290 Its value is an array of key operation values. Values defined by 291 this specification are: 293 o "sign" (compute digital signature or MAC) 294 o "verify" (verify digital signature or MAC) 295 o "encrypt" (encrypt content) 296 o "decrypt" (decrypt content and validate decryption, if applicable) 297 o "wrapKey" (encrypt key) 298 o "unwrapKey" (decrypt key and validate decryption, if applicable) 299 o "deriveKey" (derive key) 300 o "deriveBits" (derive bits not to be used as a key) 302 (Note that the "key_ops" values intentionally match the "KeyUsage" 303 values defined in the Web Cryptography API 304 [W3C.CR-WebCryptoAPI-20141211] specification.) 306 Other values MAY be used. The key operation values are case- 307 sensitive strings. Duplicate key operation values MUST NOT be 308 present in the array. Use of the "key_ops" member is OPTIONAL, 309 unless the application requires its presence. 311 Multiple unrelated key operations SHOULD NOT be specified for a key 312 because of the potential vulnerabilities associated with using the 313 same key with multiple algorithms. Thus, the combinations "sign" 314 with "verify", "encrypt" with "decrypt", and "wrapKey" with 315 "unwrapKey" are permitted, but other combinations SHOULD NOT be used. 317 Additional Key Operations values can be registered in the IANA JSON 318 Web Key Operations registry defined in Section 8.3. The same 319 considerations about registering extension values apply to the 320 "key_ops" member as do for the "use" member. 322 The "use" and "key_ops" JWK members SHOULD NOT be used together; 323 however, if both are used, the information they convey MUST be 324 consistent. Applications should specify which of these members they 325 use, if either is to be used by the application. 327 4.4. "alg" (Algorithm) Parameter 329 The "alg" (algorithm) member identifies the algorithm intended for 330 use with the key. The values used should either be registered in the 331 IANA JSON Web Signature and Encryption Algorithms registry defined in 332 [JWA] or be a value that contains a Collision-Resistant Name. The 333 "alg" value is a case-sensitive ASCII string. Use of this member is 334 OPTIONAL. 336 4.5. "kid" (Key ID) Parameter 338 The "kid" (key ID) member is used to match a specific key. This is 339 used, for instance, to choose among a set of keys within a JWK Set 340 during key rollover. The structure of the "kid" value is 341 unspecified. When "kid" values are used within a JWK Set, different 342 keys within the JWK Set SHOULD use distinct "kid" values. (One 343 example in which different keys might use the same "kid" value is if 344 they have different "kty" (key type) values but are considered to be 345 equivalent alternatives by the application using them.) The "kid" 346 value is a case-sensitive string. Use of this member is OPTIONAL. 348 When used with JWS or JWE, the "kid" value is used to match a JWS or 349 JWE "kid" Header Parameter value. 351 4.6. "x5u" (X.509 URL) Parameter 353 The "x5u" (X.509 URL) member is a URI [RFC3986] that refers to a 354 resource for an X.509 public key certificate or certificate chain 356 [RFC5280]. The identified resource MUST provide a representation of 357 the certificate or certificate chain that conforms to RFC 5280 358 [RFC5280] in PEM encoded form, with each certificate delimited as 359 specified in Section 6.1 of RFC 4945 [RFC4945]. The key in the first 360 certificate MUST match the public key represented by other members of 361 the JWK. The protocol used to acquire the resource MUST provide 362 integrity protection; an HTTP GET request to retrieve the certificate 363 MUST use TLS [RFC2818, RFC5246]; the identity of the server MUST be 364 validated, as per Section 6 of RFC 6125 [RFC6125]. Use of this 365 member is OPTIONAL. 367 While there is no requirement that optional JWK members providing key 368 usage, algorithm, or other information be present when the "x5u" 369 member is used, doing so may improve interoperability for 370 applications that do not handle PKIX certificates [RFC5280]. If 371 other members are present, the contents of those members MUST be 372 semantically consistent with the related fields in the first 373 certificate. For instance, if the "use" member is present, then it 374 MUST correspond to the usage that is specified in the certificate, 375 when it includes this information. Similarly, if the "alg" member is 376 present, it MUST correspond to the algorithm specified in the 377 certificate. 379 4.7. "x5c" (X.509 Certificate Chain) Parameter 381 The "x5c" (X.509 Certificate Chain) member contains a chain of one or 382 more PKIX certificates [RFC5280]. The certificate chain is 383 represented as a JSON array of certificate value strings. Each 384 string in the array is a base64 encoded ([RFC4648] Section 4 -- not 385 base64url encoded) DER [ITU.X690.1994] PKIX certificate value. The 386 PKIX certificate containing the key value MUST be the first 387 certificate. This MAY be followed by additional certificates, with 388 each subsequent certificate being the one used to certify the 389 previous one. The key in the first certificate MUST match the public 390 key represented by other members of the JWK. Use of this member is 391 OPTIONAL. 393 As with the "x5u" member, optional JWK members providing key usage, 394 algorithm, or other information MAY also be present when the "x5c" 395 member is used. If other members are present, the contents of those 396 members MUST be semantically consistent with the related fields in 397 the first certificate. See the last paragraph of Section 4.6 for 398 additional guidance on this. 400 4.8. "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter 402 The "x5t" (X.509 Certificate SHA-1 Thumbprint) member is a base64url 403 encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an 404 X.509 certificate [RFC5280]. Note that certificate thumbprints are 405 also sometimes known as certificate fingerprints. The key in the 406 certificate MUST match the public key represented by other members of 407 the JWK. Use of this member is OPTIONAL. 409 As with the "x5u" member, optional JWK members providing key usage, 410 algorithm, or other information MAY also be present when the "x5t" 411 member is used. If other members are present, the contents of those 412 members MUST be semantically consistent with the related fields in 413 the referenced certificate. See the last paragraph of Section 4.6 414 for additional guidance on this. 416 4.9. "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Parameter 418 The "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) member is a 419 base64url encoded SHA-256 thumbprint (a.k.a. digest) of the DER 420 encoding of an X.509 certificate [RFC5280]. Note that certificate 421 thumbprints are also sometimes known as certificate fingerprints. 422 The key in the certificate MUST match the public key represented by 423 other members of the JWK. Use of this member is OPTIONAL. 425 As with the "x5u" member, optional JWK members providing key usage, 426 algorithm, or other information MAY also be present when the 427 "x5t#S256" member is used. If other members are present, the 428 contents of those members MUST be semantically consistent with the 429 related fields in the referenced certificate. See the last paragraph 430 of Section 4.6 for additional guidance on this. 432 5. JSON Web Key Set (JWK Set) Format 434 A JSON Web Key Set (JWK Set) is a JSON object that represents a set 435 of JWKs. The JSON object MUST have a "keys" member, with its value 436 being an array of JWKs. This JSON object MAY contain white space 437 and/or line breaks. 439 The member names within a JWK Set MUST be unique; JWK Set parsers 440 MUST either reject JWK Sets with duplicate member names or use a JSON 441 parser that returns only the lexically last duplicate member name, as 442 specified in Section 15.12 (The JSON Object) of ECMAScript 5.1 443 [ECMAScript]. 445 Additional members can be present in the JWK Set; if not understood 446 by implementations encountering them, they MUST be ignored. 447 Parameters for representing additional properties of JWK Sets should 448 either be registered in the IANA JSON Web Key Set Parameters registry 449 defined in Section 8.4 or be a value that contains a Collision- 450 Resistant Name. 452 Implementations SHOULD ignore JWKs within a JWK Set that use "kty" 453 (key type) values that are not understood by them, are missing 454 required members, or for which values are out of the supported 455 ranges. 457 5.1. "keys" Parameter 459 The value of the "keys" member is an array of JWK values. By 460 default, the order of the JWK values within the array does not imply 461 an order of preference among them, although applications of JWK Sets 462 can choose to assign a meaning to the order for their purposes, if 463 desired. 465 6. String Comparison Rules 467 The string comparison rules for this specification are the same as 468 those defined in Section 5.3 of [JWS]. 470 7. Encrypted JWK and Encrypted JWK Set Formats 472 Access to JWKs containing non-public key material by parties without 473 legitimate access to the non-public information MUST be prevented. 474 This can be accomplished by encrypting the JWK when potentially 475 observable by such parties to prevent the disclosure of private or 476 symmetric key values. The use of an Encrypted JWK, which is a JWE 477 with the UTF-8 encoding of a JWK as its plaintext value, is 478 recommended for this purpose. The processing of Encrypted JWKs is 479 identical to the processing of other JWEs. A "cty" (content type) 480 Header Parameter value of "jwk+json" MUST be used to indicate that 481 the content of the JWE is a JWK, unless the application knows that 482 the encrypted content is a JWK by another means or convention, in 483 which case the "cty" value would typically be omitted. 485 JWK Sets containing non-public key material will also need to be 486 encrypted under these circumstances. The use of an Encrypted JWK 487 Set, which is a JWE with the UTF-8 encoding of a JWK Set as its 488 plaintext value, is recommended for this purpose. The processing of 489 Encrypted JWK Sets is identical to the processing of other JWEs. A 490 "cty" (content type) Header Parameter value of "jwk-set+json" MUST be 491 used to indicate that the content of the JWE is a JWK Set, unless the 492 application knows that the encrypted content is a JWK Set by another 493 means or convention, in which case the "cty" value would typically be 494 omitted. 496 See Appendix C for an example encrypted JWK. 498 8. IANA Considerations 500 The following registration procedure is used for all the registries 501 established by this specification. 503 Values are registered on a Specification Required [RFC5226] basis 504 after a three-week review period on the jose-reg-review@ietf.org 505 mailing list, on the advice of one or more Designated Experts. 506 However, to allow for the allocation of values prior to publication, 507 the Designated Expert(s) may approve registration once they are 508 satisfied that such a specification will be published. 510 Registration requests must be sent to the jose-reg-review@ietf.org 511 mailing list for review and comment, with an appropriate subject 512 (e.g., "Request to register JWK parameter: example"). 514 Within the review period, the Designated Expert(s) will either 515 approve or deny the registration request, communicating this decision 516 to the review list and IANA. Denials should include an explanation 517 and, if applicable, suggestions as to how to make the request 518 successful. Registration requests that are undetermined for a period 519 longer than 21 days can be brought to the IESG's attention (using the 520 iesg@ietf.org mailing list) for resolution. 522 Criteria that should be applied by the Designated Expert(s) includes 523 determining whether the proposed registration duplicates existing 524 functionality, determining whether it is likely to be of general 525 applicability or whether it is useful only for a single application, 526 and whether the registration description is clear. 528 IANA must only accept registry updates from the Designated Expert(s) 529 and should direct all requests for registration to the review mailing 530 list. 532 It is suggested that multiple Designated Experts be appointed who are 533 able to represent the perspectives of different applications using 534 this specification, in order to enable broadly-informed review of 535 registration decisions. In cases where a registration decision could 536 be perceived as creating a conflict of interest for a particular 537 Expert, that Expert should defer to the judgment of the other 538 Expert(s). 540 [[ Note to the RFC Editor and IANA: Pearl Liang of ICANN had 541 requested that the draft supply the following proposed registry 542 description information. It is to be used for all registries 543 established by this specification. 545 o Protocol Category: JSON Object Signing and Encryption (JOSE) 547 o Registry Location: http://www.iana.org/assignments/jose 549 o Webpage Title: (same as the protocol category) 551 o Registry Name: (same as the section title, but excluding the word 552 "Registry", for example "JSON Web Key Parameters") 554 ]] 556 8.1. JSON Web Key Parameters Registry 558 This specification establishes the IANA JSON Web Key Parameters 559 registry for JWK parameter names. The registry records the parameter 560 name, the key type(s) that the parameter is used with, and a 561 reference to the specification that defines it. It also records 562 whether the parameter conveys public or private information. This 563 specification registers the parameter names defined in Section 4. 564 The same JWK parameter name may be registered multiple times, 565 provided that duplicate parameter registrations are only for key type 566 specific JWK parameters; in this case, the meaning of the duplicate 567 parameter name is disambiguated by the "kty" value of the JWK 568 containing it. 570 8.1.1. Registration Template 572 Parameter Name: 573 The name requested (e.g., "kid"). Because a core goal of this 574 specification is for the resulting representations to be compact, 575 it is RECOMMENDED that the name be short -- not to exceed 8 576 characters without a compelling reason to do so. This name is 577 case-sensitive. Names may not match other registered names in a 578 case-insensitive manner unless the Designated Expert(s) state that 579 there is a compelling reason to allow an exception in this 580 particular case. However, matching names may be registered, 581 provided that the accompanying sets of "kty" values that the 582 Parameter Name is used with are disjoint; for the purposes of 583 matching "kty" values, "*" matches all values. 585 Parameter Description: 586 Brief description of the parameter (e.g., "Key ID"). 588 Used with "kty" Value(s): 589 The key type parameter value(s) that the parameter name is to be 590 used with, or the value "*" if the parameter value is used with 591 all key types. Values may not match other registered "kty" values 592 in a case-insensitive manner when the registered Parameter Name is 593 the same (including when the Parameter Name matches in a case- 594 insensitive manner) unless the Designated Expert(s) state that 595 there is a compelling reason to allow an exception in this 596 particular case. 598 Parameter Information Class: 599 Registers whether the parameter conveys public or private 600 information. Its value must be one the words Public or Private. 602 Change Controller: 603 For Standards Track RFCs, state "IESG". For others, give the name 604 of the responsible party. Other details (e.g., postal address, 605 email address, home page URI) may also be included. 607 Specification Document(s): 608 Reference to the document(s) that specify the parameter, 609 preferably including URI(s) that can be used to retrieve copies of 610 the document(s). An indication of the relevant sections may also 611 be included but is not required. 613 8.1.2. Initial Registry Contents 615 o Parameter Name: "kty" 616 o Parameter Description: Key Type 617 o Used with "kty" Value(s): * 618 o Parameter Information Class: Public 619 o Change Controller: IESG 620 o Specification Document(s): Section 4.1 of [[ this document ]] 622 o Parameter Name: "use" 623 o Parameter Description: Public Key Use 624 o Used with "kty" Value(s): * 625 o Parameter Information Class: Public 626 o Change Controller: IESG 627 o Specification Document(s): Section 4.2 of [[ this document ]] 629 o Parameter Name: "key_ops" 630 o Parameter Description: Key Operations 631 o Used with "kty" Value(s): * 632 o Parameter Information Class: Public 633 o Change Controller: IESG 634 o Specification Document(s): Section 4.3 of [[ this document ]] 636 o Parameter Name: "alg" 637 o Parameter Description: Algorithm 638 o Used with "kty" Value(s): * 639 o Parameter Information Class: Public 640 o Change Controller: IESG 641 o Specification Document(s): Section 4.4 of [[ this document ]] 643 o Parameter Name: "kid" 644 o Parameter Description: Key ID 645 o Used with "kty" Value(s): * 646 o Parameter Information Class: Public 647 o Change Controller: IESG 648 o Specification Document(s): Section 4.5 of [[ this document ]] 650 o Parameter Name: "x5u" 651 o Parameter Description: X.509 URL 652 o Used with "kty" Value(s): * 653 o Parameter Information Class: Public 654 o Change Controller: IESG 655 o Specification Document(s): Section 4.6 of [[ this document ]] 657 o Parameter Name: "x5c" 658 o Parameter Description: X.509 Certificate Chain 659 o Used with "kty" Value(s): * 660 o Parameter Information Class: Public 661 o Change Controller: IESG 662 o Specification Document(s): Section 4.7 of [[ this document ]] 664 o Parameter Name: "x5t" 665 o Parameter Description: X.509 Certificate SHA-1 Thumbprint 666 o Used with "kty" Value(s): * 667 o Parameter Information Class: Public 668 o Change Controller: IESG 669 o Specification Document(s): Section 4.8 of [[ this document ]] 671 o Parameter Name: "x5t#S256" 672 o Parameter Description: X.509 Certificate SHA-256 Thumbprint 673 o Used with "kty" Value(s): * 674 o Parameter Information Class: Public 675 o Change Controller: IESG 676 o Specification Document(s): Section 4.9 of [[ this document ]] 678 8.2. JSON Web Key Use Registry 680 This specification establishes the IANA JSON Web Key Use registry for 681 JWK "use" (public key use) member values. The registry records the 682 public key use value and a reference to the specification that 683 defines it. This specification registers the parameter names defined 684 in Section 4.2. 686 8.2.1. Registration Template 688 Use Member Value: 689 The name requested (e.g., "sig"). Because a core goal of this 690 specification is for the resulting representations to be compact, 691 it is RECOMMENDED that the name be short -- not to exceed 8 692 characters without a compelling reason to do so. This name is 693 case-sensitive. Names may not match other registered names in a 694 case-insensitive manner unless the Designated Expert(s) state that 695 there is a compelling reason to allow an exception in this 696 particular case. 698 Use Description: 699 Brief description of the use (e.g., "Digital Signature or MAC"). 701 Change Controller: 702 For Standards Track RFCs, state "IESG". For others, give the name 703 of the responsible party. Other details (e.g., postal address, 704 email address, home page URI) may also be included. 706 Specification Document(s): 707 Reference to the document(s) that specify the parameter, 708 preferably including URI(s) that can be used to retrieve copies of 709 the document(s). An indication of the relevant sections may also 710 be included but is not required. 712 8.2.2. Initial Registry Contents 714 o Use Member Value: "sig" 715 o Use Description: Digital Signature or MAC 716 o Change Controller: IESG 717 o Specification Document(s): Section 4.2 of [[ this document ]] 719 o Use Member Value: "enc" 720 o Use Description: Encryption 721 o Change Controller: IESG 722 o Specification Document(s): Section 4.2 of [[ this document ]] 724 8.3. JSON Web Key Operations Registry 726 This specification establishes the IANA JSON Web Key Operations 727 registry for values of JWK "key_ops" array elements. The registry 728 records the key operation value and a reference to the specification 729 that defines it. This specification registers the parameter names 730 defined in Section 4.3. 732 8.3.1. Registration Template 734 Key Operation Value: 735 The name requested (e.g., "sign"). Because a core goal of this 736 specification is for the resulting representations to be compact, 737 it is RECOMMENDED that the name be short -- not to exceed 8 738 characters without a compelling reason to do so. This name is 739 case-sensitive. Names may not match other registered names in a 740 case-insensitive manner unless the Designated Expert(s) state that 741 there is a compelling reason to allow an exception in this 742 particular case. 744 Key Operation Description: 745 Brief description of the key operation (e.g., "Compute digital 746 signature or MAC"). 748 Change Controller: 749 For Standards Track RFCs, state "IESG". For others, give the name 750 of the responsible party. Other details (e.g., postal address, 751 email address, home page URI) may also be included. 753 Specification Document(s): 754 Reference to the document(s) that specify the parameter, 755 preferably including URI(s) that can be used to retrieve copies of 756 the document(s). An indication of the relevant sections may also 757 be included but is not required. 759 8.3.2. Initial Registry Contents 761 o Key Operation Value: "sign" 762 o Key Operation Description: Compute digital signature or MAC 763 o Change Controller: IESG 764 o Specification Document(s): Section 4.3 of [[ this document ]] 766 o Key Operation Value: "verify" 767 o Key Operation Description: Verify digital signature or MAC 768 o Change Controller: IESG 769 o Specification Document(s): Section 4.3 of [[ this document ]] 771 o Key Operation Value: "encrypt" 772 o Key Operation Description: Encrypt content 773 o Change Controller: IESG 774 o Specification Document(s): Section 4.3 of [[ this document ]] 776 o Key Operation Value: "decrypt" 777 o Key Operation Description: Decrypt content and validate 778 decryption, if applicable 780 o Change Controller: IESG 781 o Specification Document(s): Section 4.3 of [[ this document ]] 783 o Key Operation Value: "wrapKey" 784 o Key Operation Description: Encrypt key 785 o Change Controller: IESG 786 o Specification Document(s): Section 4.3 of [[ this document ]] 788 o Key Operation Value: "unwrapKey" 789 o Key Operation Description: Decrypt key and validate decryption, if 790 applicable 791 o Change Controller: IESG 792 o Specification Document(s): Section 4.3 of [[ this document ]] 794 o Key Operation Value: "deriveKey" 795 o Key Operation Description: Derive key 796 o Change Controller: IESG 797 o Specification Document(s): Section 4.3 of [[ this document ]] 799 o Key Operation Value: "deriveBits" 800 o Key Operation Description: Derive bits not to be used as a key 801 o Change Controller: IESG 802 o Specification Document(s): Section 4.3 of [[ this document ]] 804 8.4. JSON Web Key Set Parameters Registry 806 This specification establishes the IANA JSON Web Key Set Parameters 807 registry for JWK Set parameter names. The registry records the 808 parameter name and a reference to the specification that defines it. 809 This specification registers the parameter names defined in 810 Section 5. 812 8.4.1. Registration Template 814 Parameter Name: 815 The name requested (e.g., "keys"). Because a core goal of this 816 specification is for the resulting representations to be compact, 817 it is RECOMMENDED that the name be short -- not to exceed 8 818 characters without a compelling reason to do so. This name is 819 case-sensitive. Names may not match other registered names in a 820 case-insensitive manner unless the Designated Expert(s) state that 821 there is a compelling reason to allow an exception in this 822 particular case. 824 Parameter Description: 825 Brief description of the parameter (e.g., "Array of JWK values"). 827 Change Controller: 828 For Standards Track RFCs, state "IESG". For others, give the name 829 of the responsible party. Other details (e.g., postal address, 830 email address, home page URI) may also be included. 832 Specification Document(s): 833 Reference to the document(s) that specify the parameter, 834 preferably including URI(s) that can be used to retrieve copies of 835 the document(s). An indication of the relevant sections may also 836 be included but is not required. 838 8.4.2. Initial Registry Contents 840 o Parameter Name: "keys" 841 o Parameter Description: Array of JWK values 842 o Change Controller: IESG 843 o Specification Document(s): Section 5.1 of [[ this document ]] 845 8.5. Media Type Registration 847 8.5.1. Registry Contents 849 This specification registers the "application/jwk+json" and 850 "application/jwk-set+json" Media Types [RFC2046] in the MIME Media 851 Types registry [IANA.MediaTypes] in the manner described in RFC 6838 852 [RFC6838], which can be used to indicate, respectively, that the 853 content is a JWK or a JWK Set. 855 o Type Name: application 856 o Subtype Name: jwk+json 857 o Required Parameters: n/a 858 o Optional Parameters: n/a 859 o Encoding considerations: 8bit; application/jwk+json values are 860 represented as JSON object; UTF-8 encoding SHOULD be employed for 861 the JSON object. 862 o Security Considerations: See the Security Considerations section 863 of [[ this document ]] 864 o Interoperability Considerations: n/a 865 o Published Specification: [[ this document ]] 866 o Applications that use this media type: OpenID Connect, Salesforce, 867 Google, Android, Windows Azure, W3C WebCrypto API, numerous others 868 o Fragment identifier considerations: n/a 869 o Additional Information: Magic number(s): n/a, File extension(s): 870 n/a, Macintosh file type code(s): n/a 871 o Person & email address to contact for further information: Michael 872 B. Jones, mbj@microsoft.com 874 o Intended Usage: COMMON 875 o Restrictions on Usage: none 876 o Author: Michael B. Jones, mbj@microsoft.com 877 o Change Controller: IESG 878 o Provisional registration? No 880 o Type Name: application 881 o Subtype Name: jwk-set+json 882 o Required Parameters: n/a 883 o Optional Parameters: n/a 884 o Encoding considerations: 8bit; application/jwk-set+json values are 885 represented as a JSON Object; UTF-8 encoding SHOULD be employed 886 for the JSON object. 887 o Security Considerations: See the Security Considerations section 888 of [[ this document ]] 889 o Interoperability Considerations: n/a 890 o Published Specification: [[ this document ]] 891 o Applications that use this media type: OpenID Connect, Salesforce, 892 Google, Android, Windows Azure, W3C WebCrypto API, numerous others 893 o Fragment identifier considerations: n/a 894 o Additional Information: Magic number(s): n/a, File extension(s): 895 n/a, Macintosh file type code(s): n/a 896 o Person & email address to contact for further information: Michael 897 B. Jones, mbj@microsoft.com 898 o Intended Usage: COMMON 899 o Restrictions on Usage: none 900 o Author: Michael B. Jones, mbj@microsoft.com 901 o Change Controller: IESG 902 o Provisional registration? No 904 9. Security Considerations 906 All of the security issues that are pertinent to any cryptographic 907 application must be addressed by JWS/JWE/JWK agents. Among these 908 issues are protecting the user's asymmetric private and symmetric 909 secret keys and employing countermeasures to various attacks. 911 9.1. Key Provenance and Trust 913 One should place no more trust in the data cryptographically secured 914 by a key than in the method by which it was obtained and in the 915 trustworthiness of the entity asserting an association with the key. 916 Any data associated with a key that is obtained in an untrusted 917 manner should be treated with skepticism. See Section 10.3 of [JWS] 918 for security considerations on key origin authentication. 920 In almost all cases, applications make decisions about whether to 921 trust a key based on attributes bound to the key, such as names, 922 roles, and the key origin, rather than based on the key itself. When 923 an application is deciding whether to trust a key, there are several 924 ways that it can bind attributes to a JWK. Two example mechanisms 925 are PKIX [RFC5280] and JSON Web Token (JWT) [JWT]. 927 For instance, the creator of a JWK can include a PKIX certificate in 928 the JWK's "x5c" member. If the application validates the certificate 929 and verifies that the JWK corresponds to the subject public key in 930 the certificate, then the JWK can be associated with the attributes 931 in the certificate, such as the subject name, subject alternative 932 names, extended key usages, and its signature chain. 934 Also for instance, a JWT can be used to associate attributes with a 935 JWK by referencing the JWK as a claim in the JWT. The JWK can be 936 included directly as a claim value or the JWT can include a TLS- 937 secured URI from which to retrieve the JWK value. Either way, an 938 application that gets a JWK via a JWT claim can associate it with the 939 JWT's cryptographic properties and use these and possibly additional 940 claims in deciding whether to trust the key. 942 The security considerations in Section 12.3 of XML DSIG 2.0 943 [W3C.NOTE-xmldsig-core2-20130411] about the strength of a digital 944 signature depending upon all the links in the security chain also 945 apply to this specification. 947 The TLS Requirements in Section 8 of [JWS] also apply to this 948 specification, except that the "x5u" JWK member is the only feature 949 defined by this specification using TLS. 951 9.2. Preventing Disclosure of Non-Public Key Information 953 Private and symmetric keys MUST be protected from disclosure to 954 unintended parties. One recommended means of doing so is to encrypt 955 JWKs or JWK Sets containing them by using the JWK or JWK Set value as 956 the plaintext of a JWE. Of course, this requires that there be a 957 secure way to obtain the key used to encrypt the non-public key 958 information to the intended party and a secure way for that party to 959 obtain the corresponding decryption key. 961 The security considerations in RFC 3447 [RFC3447] and RFC 6030 962 [RFC6030] about protecting private and symmetric keys, key usage, and 963 information leakage also apply to this specification. 965 9.3. RSA Private Key Representations and Blinding 967 The RSA Key blinding operation [Kocher], which is a defense against 968 some timing attacks, requires all of the RSA key values "n", "e", and 969 "d". However, some RSA private key representations do not include 970 the public exponent "e", but only include the modulus "n" and the 971 private exponent "d". This is true, for instance, of the Java 972 RSAPrivateKeySpec API, which does not include the public exponent "e" 973 as a parameter. So as to enable RSA key blinding, such 974 representations should be avoided. For Java, the 975 RSAPrivateCrtKeySpec API can be used instead. Section 8.2.2(i) of 976 the Handbook of Applied Cryptography [HAC] discusses how to compute 977 the remaining RSA private key parameters, if needed, using only "n", 978 "e", and "d". 980 9.4. Key Entropy and Random Values 982 See Section 10.1 of [JWS] for security considerations on key entropy 983 and random values. 985 10. References 987 10.1. Normative References 989 [ECMAScript] 990 Ecma International, "ECMAScript Language Specification, 991 5.1 Edition", ECMA 262, June 2011. 993 [IANA.MediaTypes] 994 Internet Assigned Numbers Authority (IANA), "MIME Media 995 Types", 2005. 997 [ITU.X690.1994] 998 International Telecommunications Union, "Information 999 Technology - ASN.1 encoding rules: Specification of Basic 1000 Encoding Rules (BER), Canonical Encoding Rules (CER) and 1001 Distinguished Encoding Rules (DER)", ITU-T Recommendation 1002 X.690, 1994. 1004 [JWA] Jones, M., "JSON Web Algorithms (JWA)", 1005 draft-ietf-jose-json-web-algorithms (work in progress), 1006 January 2015. 1008 [JWE] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", 1009 draft-ietf-jose-json-web-encryption (work in progress), 1010 January 2015. 1012 [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web 1013 Signature (JWS)", draft-ietf-jose-json-web-signature (work 1014 in progress), January 2015. 1016 [RFC20] Cerf, V., "ASCII format for Network Interchange", RFC 20, 1017 October 1969. 1019 [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 1020 Extensions (MIME) Part Two: Media Types", RFC 2046, 1021 November 1996. 1023 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1024 Requirement Levels", BCP 14, RFC 2119, March 1997. 1026 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 1028 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 1029 10646", STD 63, RFC 3629, November 2003. 1031 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 1032 Resource Identifier (URI): Generic Syntax", STD 66, 1033 RFC 3986, January 2005. 1035 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 1036 Encodings", RFC 4648, October 2006. 1038 [RFC4945] Korver, B., "The Internet IP Security PKI Profile of 1039 IKEv1/ISAKMP, IKEv2, and PKIX", RFC 4945, August 2007. 1041 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 1042 RFC 4949, August 2007. 1044 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1045 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1047 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1048 Housley, R., and W. Polk, "Internet X.509 Public Key 1049 Infrastructure Certificate and Certificate Revocation List 1050 (CRL) Profile", RFC 5280, May 2008. 1052 [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and 1053 Verification of Domain-Based Application Service Identity 1054 within Internet Public Key Infrastructure Using X.509 1055 (PKIX) Certificates in the Context of Transport Layer 1056 Security (TLS)", RFC 6125, March 2011. 1058 [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data 1059 Interchange Format", RFC 7159, March 2014. 1061 [UNICODE] The Unicode Consortium, "The Unicode Standard", 1991-, 1062 . 1064 10.2. Informative References 1066 [DSS] National Institute of Standards and Technology, "Digital 1067 Signature Standard (DSS)", FIPS PUB 186-4, July 2013. 1069 [HAC] Menezes, A., van Oorschot, P., and S. Vanstone, "Handbook 1070 of Applied Cryptography", CRC Press, 1996, 1071 . 1073 [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token 1074 (JWT)", draft-ietf-oauth-json-web-token (work in 1075 progress), January 2015. 1077 [Kocher] Kocher, P., "Timing Attacks on Implementations of Diffe- 1078 Hellman, RSA, DSS, and Other Systems", In Proceedings of 1079 the 16th Annual International Cryptology Conference 1080 Advances in Cryptology, Springer-Verlag, pp. 104-113, 1081 1996. 1083 [MagicSignatures] 1084 Panzer (editor), J., Laurie, B., and D. Balfanz, "Magic 1085 Signatures", January 2011. 1087 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography 1088 Standards (PKCS) #1: RSA Cryptography Specifications 1089 Version 2.1", RFC 3447, February 2003. 1091 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1092 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 1093 May 2008. 1095 [RFC6030] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric 1096 Key Container (PSKC)", RFC 6030, October 2010. 1098 [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type 1099 Specifications and Registration Procedures", BCP 13, 1100 RFC 6838, January 2013. 1102 [W3C.CR-WebCryptoAPI-20141211] 1103 Sleevi, R. and M. Watson, "Web Cryptography API", World 1104 Wide Web Consortium Candidate Recommendation CR- 1105 WebCryptoAPI-20141211, December 2014, 1106 . 1108 [W3C.NOTE-xmldsig-core2-20130411] 1109 Eastlake, D., Reagle, J., Solo, D., Hirsch, F., Roessler, 1110 T., Yiu, K., Datta, P., and S. Cantor, "XML Signature 1111 Syntax and Processing Version 2.0", World Wide Web 1112 Consortium Note NOTE-xmldsig-core2-20130411, April 2013, 1113 . 1115 Appendix A. Example JSON Web Key Sets 1117 A.1. Example Public Keys 1119 The following example JWK Set contains two public keys represented as 1120 JWKs: one using an Elliptic Curve algorithm and a second one using an 1121 RSA algorithm. The first specifies that the key is to be used for 1122 encryption. The second specifies that the key is to be used with the 1123 "RS256" algorithm. Both provide a Key ID for key matching purposes. 1124 In both cases, integers are represented using the base64url encoding 1125 of their big endian representations. (Line breaks within values are 1126 for display purposes only.) 1128 {"keys": 1129 [ 1130 {"kty":"EC", 1131 "crv":"P-256", 1132 "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", 1133 "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", 1134 "use":"enc", 1135 "kid":"1"}, 1137 {"kty":"RSA", 1138 "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx 1139 4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs 1140 tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2 1141 QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI 1142 SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb 1143 w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", 1144 "e":"AQAB", 1145 "alg":"RS256", 1146 "kid":"2011-04-29"} 1147 ] 1148 } 1150 A.2. Example Private Keys 1152 The following example JWK Set contains two keys represented as JWKs 1153 containing both public and private key values: one using an Elliptic 1154 Curve algorithm and a second one using an RSA algorithm. This 1155 example extends the example in the previous section, adding private 1156 key values. (Line breaks within values are for display purposes 1157 only.) 1158 {"keys": 1159 [ 1160 {"kty":"EC", 1161 "crv":"P-256", 1162 "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", 1163 "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", 1164 "d":"870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE", 1165 "use":"enc", 1166 "kid":"1"}, 1168 {"kty":"RSA", 1169 "n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4 1170 cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMst 1171 n64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2Q 1172 vzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbIS 1173 D08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw 1174 0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", 1175 "e":"AQAB", 1176 "d":"X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9 1177 M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqij 1178 wp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d 1179 _cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBz 1180 nbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFz 1181 me1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q", 1182 "p":"83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPV 1183 nwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqV 1184 WlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs", 1185 "q":"3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyum 1186 qjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgx 1187 kIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk", 1188 "dp":"G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oim 1189 YwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_Nmtu 1190 YZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0", 1191 "dq":"s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUU 1192 vMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9 1193 GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk", 1194 "qi":"GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzg 1195 UIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rx 1196 yR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU", 1197 "alg":"RS256", 1198 "kid":"2011-04-29"} 1199 ] 1200 } 1202 A.3. Example Symmetric Keys 1204 The following example JWK Set contains two symmetric keys represented 1205 as JWKs: one designated as being for use with the AES Key Wrap 1206 algorithm and a second one that is an HMAC key. (Line breaks within 1207 values are for display purposes only.) 1209 {"keys": 1210 [ 1211 {"kty":"oct", 1212 "alg":"A128KW", 1213 "k":"GawgguFyGrWKav7AX4VKUg"}, 1215 {"kty":"oct", 1216 "k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75 1217 aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow", 1218 "kid":"HMAC key used in JWS A.1 example"} 1219 ] 1220 } 1222 Appendix B. Example Use of "x5c" (X.509 Certificate Chain) Parameter 1223 The following is an example of a JWK with a RSA signing key 1224 represented both as an RSA public key and as an X.509 certificate 1225 using the "x5c" parameter (with line breaks within values for display 1226 purposes only): 1228 {"kty":"RSA", 1229 "use":"sig", 1230 "kid":"1b94c", 1231 "n":"vrjOfz9Ccdgx5nQudyhdoR17V-IubWMeOZCwX_jj0hgAsz2J_pqYW08 1232 PLbK_PdiVGKPrqzmDIsLI7sA25VEnHU1uCLNwBuUiCO11_-7dYbsr4iJmG0Q 1233 u2j8DsVyT1azpJC_NG84Ty5KKthuCaPod7iI7w0LK9orSMhBEwwZDCxTWq4a 1234 YWAchc8t-emd9qOvWtVMDC2BXksRngh6X5bUYLy6AyHKvj-nUy1wgzjYQDwH 1235 MTplCoLtU-o-8SNnZ1tmRoGE9uJkBLdh5gFENabWnU5m1ZqZPdwS-qo-meMv 1236 VfJb6jJVWRpl2SUtCnYG2C32qvbWbjZ_jBPD5eunqsIo1vQ", 1237 "e":"AQAB", 1238 "x5c": 1239 ["MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJB 1240 gNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYD 1241 VQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1 1242 wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBg 1243 NVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDV 1244 QQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1w 1245 YmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnH 1246 YMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66 1247 s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6 1248 SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpn 1249 fajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPq 1250 PvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVk 1251 aZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BA 1252 QUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL 1253 +9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1 1254 zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL 1255 2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo 1256 4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTq 1257 gawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA=="] 1258 } 1260 Appendix C. Example Encrypted RSA Private Key 1262 This example encrypts an RSA private key to the recipient using 1263 "PBES2-HS256+A128KW" for key encryption and "A128CBC+HS256" for 1264 content encryption. 1266 NOTE: Unless otherwise indicated, all line breaks are included solely 1267 for readability. 1269 C.1. Plaintext RSA Private Key 1271 The following RSA key is the plaintext for the authenticated 1272 encryption operation, formatted as a JWK (with line breaks within 1273 values for display purposes only): 1275 { 1276 "kty":"RSA", 1277 "kid":"juliet@capulet.lit", 1278 "use":"enc", 1279 "n":"t6Q8PWSi1dkJj9hTP8hNYFlvadM7DflW9mWepOJhJ66w7nyoK1gPNqFMSQRy 1280 O125Gp-TEkodhWr0iujjHVx7BcV0llS4w5ACGgPrcAd6ZcSR0-Iqom-QFcNP 1281 8Sjg086MwoqQU_LYywlAGZ21WSdS_PERyGFiNnj3QQlO8Yns5jCtLCRwLHL0 1282 Pb1fEv45AuRIuUfVcPySBWYnDyGxvjYGDSM-AqWS9zIQ2ZilgT-GqUmipg0X 1283 OC0Cc20rgLe2ymLHjpHciCKVAbY5-L32-lSeZO-Os6U15_aXrk9Gw8cPUaX1 1284 _I8sLGuSiVdt3C_Fn2PZ3Z8i744FPFGGcG1qs2Wz-Q", 1285 "e":"AQAB", 1286 "d":"GRtbIQmhOZtyszfgKdg4u_N-R_mZGU_9k7JQ_jn1DnfTuMdSNprTeaSTyWfS 1287 NkuaAwnOEbIQVy1IQbWVV25NY3ybc_IhUJtfri7bAXYEReWaCl3hdlPKXy9U 1288 vqPYGR0kIXTQRqns-dVJ7jahlI7LyckrpTmrM8dWBo4_PMaenNnPiQgO0xnu 1289 ToxutRZJfJvG4Ox4ka3GORQd9CsCZ2vsUDmsXOfUENOyMqADC6p1M3h33tsu 1290 rY15k9qMSpG9OX_IJAXmxzAh_tWiZOwk2K4yxH9tS3Lq1yX8C1EWmeRDkK2a 1291 hecG85-oLKQt5VEpWHKmjOi_gJSdSgqcN96X52esAQ", 1292 "p":"2rnSOV4hKSN8sS4CgcQHFbs08XboFDqKum3sc4h3GRxrTmQdl1ZK9uw-PIHf 1293 QP0FkxXVrx-WE-ZEbrqivH_2iCLUS7wAl6XvARt1KkIaUxPPSYB9yk31s0Q8 1294 UK96E3_OrADAYtAJs-M3JxCLfNgqh56HDnETTQhH3rCT5T3yJws", 1295 "q":"1u_RiFDP7LBYh3N4GXLT9OpSKYP0uQZyiaZwBtOCBNJgQxaj10RWjsZu0c6I 1296 edis4S7B_coSKB0Kj9PaPaBzg-IySRvvcQuPamQu66riMhjVtG6TlV8CLCYK 1297 rYl52ziqK0E_ym2QnkwsUX7eYTB7LbAHRK9GqocDE5B0f808I4s", 1298 "dp":"KkMTWqBUefVwZ2_Dbj1pPQqyHSHjj90L5x_MOzqYAJMcLMZtbUtwKqvVDq3 1299 tbEo3ZIcohbDtt6SbfmWzggabpQxNxuBpoOOf_a_HgMXK_lhqigI4y_kqS1w 1300 Y52IwjUn5rgRrJ-yYo1h41KR-vz2pYhEAeYrhttWtxVqLCRViD6c", 1301 "dq":"AvfS0-gRxvn0bwJoMSnFxYcK1WnuEjQFluMGfwGitQBWtfZ1Er7t1xDkbN9 1302 GQTB9yqpDoYaN06H7CFtrkxhJIBQaj6nkF5KKS3TQtQ5qCzkOkmxIe3KRbBy 1303 mXxkb5qwUpX5ELD5xFc6FeiafWYY63TmmEAu_lRFCOJ3xDea-ots", 1304 "qi":"lSQi-w9CpyUReMErP1RsBLk7wNtOvs5EQpPqmuMvqW57NBUczScEoPwmUqq 1305 abu9V0-Py4dQ57_bapoKRu1R90bvuFnU63SHWEFglZQvJDMeAvmj4sm-Fp0o 1306 Yu_neotgQ0hzbI5gry7ajdYy9-2lNx_76aBZoOUu9HCJ-UsfSOI8" 1307 } 1309 The octets representing the Plaintext used in this example (using 1310 JSON array notation) are: 1312 [123, 34, 107, 116, 121, 34, 58, 34, 82, 83, 65, 34, 44, 34, 107, 1313 105, 100, 34, 58, 34, 106, 117, 108, 105, 101, 116, 64, 99, 97, 112, 1314 117, 108, 101, 116, 46, 108, 105, 116, 34, 44, 34, 117, 115, 101, 34, 1315 58, 34, 101, 110, 99, 34, 44, 34, 110, 34, 58, 34, 116, 54, 81, 56, 1316 80, 87, 83, 105, 49, 100, 107, 74, 106, 57, 104, 84, 80, 56, 104, 78, 1317 89, 70, 108, 118, 97, 100, 77, 55, 68, 102, 108, 87, 57, 109, 87, 1318 101, 112, 79, 74, 104, 74, 54, 54, 119, 55, 110, 121, 111, 75, 49, 1319 103, 80, 78, 113, 70, 77, 83, 81, 82, 121, 79, 49, 50, 53, 71, 112, 1320 45, 84, 69, 107, 111, 100, 104, 87, 114, 48, 105, 117, 106, 106, 72, 1321 86, 120, 55, 66, 99, 86, 48, 108, 108, 83, 52, 119, 53, 65, 67, 71, 1322 103, 80, 114, 99, 65, 100, 54, 90, 99, 83, 82, 48, 45, 73, 113, 111, 1323 109, 45, 81, 70, 99, 78, 80, 56, 83, 106, 103, 48, 56, 54, 77, 119, 1324 111, 113, 81, 85, 95, 76, 89, 121, 119, 108, 65, 71, 90, 50, 49, 87, 1325 83, 100, 83, 95, 80, 69, 82, 121, 71, 70, 105, 78, 110, 106, 51, 81, 1326 81, 108, 79, 56, 89, 110, 115, 53, 106, 67, 116, 76, 67, 82, 119, 76, 1327 72, 76, 48, 80, 98, 49, 102, 69, 118, 52, 53, 65, 117, 82, 73, 117, 1328 85, 102, 86, 99, 80, 121, 83, 66, 87, 89, 110, 68, 121, 71, 120, 118, 1329 106, 89, 71, 68, 83, 77, 45, 65, 113, 87, 83, 57, 122, 73, 81, 50, 1330 90, 105, 108, 103, 84, 45, 71, 113, 85, 109, 105, 112, 103, 48, 88, 1331 79, 67, 48, 67, 99, 50, 48, 114, 103, 76, 101, 50, 121, 109, 76, 72, 1332 106, 112, 72, 99, 105, 67, 75, 86, 65, 98, 89, 53, 45, 76, 51, 50, 1333 45, 108, 83, 101, 90, 79, 45, 79, 115, 54, 85, 49, 53, 95, 97, 88, 1334 114, 107, 57, 71, 119, 56, 99, 80, 85, 97, 88, 49, 95, 73, 56, 115, 1335 76, 71, 117, 83, 105, 86, 100, 116, 51, 67, 95, 70, 110, 50, 80, 90, 1336 51, 90, 56, 105, 55, 52, 52, 70, 80, 70, 71, 71, 99, 71, 49, 113, 1337 115, 50, 87, 122, 45, 81, 34, 44, 34, 101, 34, 58, 34, 65, 81, 65, 1338 66, 34, 44, 34, 100, 34, 58, 34, 71, 82, 116, 98, 73, 81, 109, 104, 1339 79, 90, 116, 121, 115, 122, 102, 103, 75, 100, 103, 52, 117, 95, 78, 1340 45, 82, 95, 109, 90, 71, 85, 95, 57, 107, 55, 74, 81, 95, 106, 110, 1341 49, 68, 110, 102, 84, 117, 77, 100, 83, 78, 112, 114, 84, 101, 97, 1342 83, 84, 121, 87, 102, 83, 78, 107, 117, 97, 65, 119, 110, 79, 69, 98, 1343 73, 81, 86, 121, 49, 73, 81, 98, 87, 86, 86, 50, 53, 78, 89, 51, 121, 1344 98, 99, 95, 73, 104, 85, 74, 116, 102, 114, 105, 55, 98, 65, 88, 89, 1345 69, 82, 101, 87, 97, 67, 108, 51, 104, 100, 108, 80, 75, 88, 121, 57, 1346 85, 118, 113, 80, 89, 71, 82, 48, 107, 73, 88, 84, 81, 82, 113, 110, 1347 115, 45, 100, 86, 74, 55, 106, 97, 104, 108, 73, 55, 76, 121, 99, 1348 107, 114, 112, 84, 109, 114, 77, 56, 100, 87, 66, 111, 52, 95, 80, 1349 77, 97, 101, 110, 78, 110, 80, 105, 81, 103, 79, 48, 120, 110, 117, 1350 84, 111, 120, 117, 116, 82, 90, 74, 102, 74, 118, 71, 52, 79, 120, 1351 52, 107, 97, 51, 71, 79, 82, 81, 100, 57, 67, 115, 67, 90, 50, 118, 1352 115, 85, 68, 109, 115, 88, 79, 102, 85, 69, 78, 79, 121, 77, 113, 65, 1353 68, 67, 54, 112, 49, 77, 51, 104, 51, 51, 116, 115, 117, 114, 89, 49, 1354 53, 107, 57, 113, 77, 83, 112, 71, 57, 79, 88, 95, 73, 74, 65, 88, 1355 109, 120, 122, 65, 104, 95, 116, 87, 105, 90, 79, 119, 107, 50, 75, 1356 52, 121, 120, 72, 57, 116, 83, 51, 76, 113, 49, 121, 88, 56, 67, 49, 1357 69, 87, 109, 101, 82, 68, 107, 75, 50, 97, 104, 101, 99, 71, 56, 53, 1358 45, 111, 76, 75, 81, 116, 53, 86, 69, 112, 87, 72, 75, 109, 106, 79, 1359 105, 95, 103, 74, 83, 100, 83, 103, 113, 99, 78, 57, 54, 88, 53, 50, 1360 101, 115, 65, 81, 34, 44, 34, 112, 34, 58, 34, 50, 114, 110, 83, 79, 1361 86, 52, 104, 75, 83, 78, 56, 115, 83, 52, 67, 103, 99, 81, 72, 70, 1362 98, 115, 48, 56, 88, 98, 111, 70, 68, 113, 75, 117, 109, 51, 115, 99, 1363 52, 104, 51, 71, 82, 120, 114, 84, 109, 81, 100, 108, 49, 90, 75, 57, 1364 117, 119, 45, 80, 73, 72, 102, 81, 80, 48, 70, 107, 120, 88, 86, 114, 1365 120, 45, 87, 69, 45, 90, 69, 98, 114, 113, 105, 118, 72, 95, 50, 105, 1366 67, 76, 85, 83, 55, 119, 65, 108, 54, 88, 118, 65, 82, 116, 49, 75, 1367 107, 73, 97, 85, 120, 80, 80, 83, 89, 66, 57, 121, 107, 51, 49, 115, 1368 48, 81, 56, 85, 75, 57, 54, 69, 51, 95, 79, 114, 65, 68, 65, 89, 116, 1369 65, 74, 115, 45, 77, 51, 74, 120, 67, 76, 102, 78, 103, 113, 104, 53, 1370 54, 72, 68, 110, 69, 84, 84, 81, 104, 72, 51, 114, 67, 84, 53, 84, 1371 51, 121, 74, 119, 115, 34, 44, 34, 113, 34, 58, 34, 49, 117, 95, 82, 1372 105, 70, 68, 80, 55, 76, 66, 89, 104, 51, 78, 52, 71, 88, 76, 84, 57, 1373 79, 112, 83, 75, 89, 80, 48, 117, 81, 90, 121, 105, 97, 90, 119, 66, 1374 116, 79, 67, 66, 78, 74, 103, 81, 120, 97, 106, 49, 48, 82, 87, 106, 1375 115, 90, 117, 48, 99, 54, 73, 101, 100, 105, 115, 52, 83, 55, 66, 95, 1376 99, 111, 83, 75, 66, 48, 75, 106, 57, 80, 97, 80, 97, 66, 122, 103, 1377 45, 73, 121, 83, 82, 118, 118, 99, 81, 117, 80, 97, 109, 81, 117, 54, 1378 54, 114, 105, 77, 104, 106, 86, 116, 71, 54, 84, 108, 86, 56, 67, 76, 1379 67, 89, 75, 114, 89, 108, 53, 50, 122, 105, 113, 75, 48, 69, 95, 121, 1380 109, 50, 81, 110, 107, 119, 115, 85, 88, 55, 101, 89, 84, 66, 55, 76, 1381 98, 65, 72, 82, 75, 57, 71, 113, 111, 99, 68, 69, 53, 66, 48, 102, 1382 56, 48, 56, 73, 52, 115, 34, 44, 34, 100, 112, 34, 58, 34, 75, 107, 1383 77, 84, 87, 113, 66, 85, 101, 102, 86, 119, 90, 50, 95, 68, 98, 106, 1384 49, 112, 80, 81, 113, 121, 72, 83, 72, 106, 106, 57, 48, 76, 53, 120, 1385 95, 77, 79, 122, 113, 89, 65, 74, 77, 99, 76, 77, 90, 116, 98, 85, 1386 116, 119, 75, 113, 118, 86, 68, 113, 51, 116, 98, 69, 111, 51, 90, 1387 73, 99, 111, 104, 98, 68, 116, 116, 54, 83, 98, 102, 109, 87, 122, 1388 103, 103, 97, 98, 112, 81, 120, 78, 120, 117, 66, 112, 111, 79, 79, 1389 102, 95, 97, 95, 72, 103, 77, 88, 75, 95, 108, 104, 113, 105, 103, 1390 73, 52, 121, 95, 107, 113, 83, 49, 119, 89, 53, 50, 73, 119, 106, 85, 1391 110, 53, 114, 103, 82, 114, 74, 45, 121, 89, 111, 49, 104, 52, 49, 1392 75, 82, 45, 118, 122, 50, 112, 89, 104, 69, 65, 101, 89, 114, 104, 1393 116, 116, 87, 116, 120, 86, 113, 76, 67, 82, 86, 105, 68, 54, 99, 34, 1394 44, 34, 100, 113, 34, 58, 34, 65, 118, 102, 83, 48, 45, 103, 82, 120, 1395 118, 110, 48, 98, 119, 74, 111, 77, 83, 110, 70, 120, 89, 99, 75, 49, 1396 87, 110, 117, 69, 106, 81, 70, 108, 117, 77, 71, 102, 119, 71, 105, 1397 116, 81, 66, 87, 116, 102, 90, 49, 69, 114, 55, 116, 49, 120, 68, 1398 107, 98, 78, 57, 71, 81, 84, 66, 57, 121, 113, 112, 68, 111, 89, 97, 1399 78, 48, 54, 72, 55, 67, 70, 116, 114, 107, 120, 104, 74, 73, 66, 81, 1400 97, 106, 54, 110, 107, 70, 53, 75, 75, 83, 51, 84, 81, 116, 81, 53, 1401 113, 67, 122, 107, 79, 107, 109, 120, 73, 101, 51, 75, 82, 98, 66, 1402 121, 109, 88, 120, 107, 98, 53, 113, 119, 85, 112, 88, 53, 69, 76, 1403 68, 53, 120, 70, 99, 54, 70, 101, 105, 97, 102, 87, 89, 89, 54, 51, 1404 84, 109, 109, 69, 65, 117, 95, 108, 82, 70, 67, 79, 74, 51, 120, 68, 1405 101, 97, 45, 111, 116, 115, 34, 44, 34, 113, 105, 34, 58, 34, 108, 1406 83, 81, 105, 45, 119, 57, 67, 112, 121, 85, 82, 101, 77, 69, 114, 80, 1407 49, 82, 115, 66, 76, 107, 55, 119, 78, 116, 79, 118, 115, 53, 69, 81, 1408 112, 80, 113, 109, 117, 77, 118, 113, 87, 53, 55, 78, 66, 85, 99, 1409 122, 83, 99, 69, 111, 80, 119, 109, 85, 113, 113, 97, 98, 117, 57, 1410 86, 48, 45, 80, 121, 52, 100, 81, 53, 55, 95, 98, 97, 112, 111, 75, 1411 82, 117, 49, 82, 57, 48, 98, 118, 117, 70, 110, 85, 54, 51, 83, 72, 1412 87, 69, 70, 103, 108, 90, 81, 118, 74, 68, 77, 101, 65, 118, 109, 1413 106, 52, 115, 109, 45, 70, 112, 48, 111, 89, 117, 95, 110, 101, 111, 1414 116, 103, 81, 48, 104, 122, 98, 73, 53, 103, 114, 121, 55, 97, 106, 1415 100, 89, 121, 57, 45, 50, 108, 78, 120, 95, 55, 54, 97, 66, 90, 111, 1416 79, 85, 117, 57, 72, 67, 74, 45, 85, 115, 102, 83, 79, 73, 56, 34, 1417 125] 1419 C.2. JOSE Header 1421 The following example JWE Protected Header declares that: 1423 o the Content Encryption Key is encrypted to the recipient using the 1424 PSE2-HS256+A128KW algorithm to produce the JWE Encrypted Key, 1426 o the Salt Input ("p2s") value is [217, 96, 147, 112, 150, 117, 70, 1427 247, 127, 8, 155, 137, 174, 42, 80, 215], 1429 o the Iteration Count ("p2c") value is 4096, 1431 o authenticated encryption is performed on the Plaintext using the 1432 AES_128_CBC_HMAC_SHA_256 algorithm to produce the Ciphertext and 1433 the Authentication Tag, and 1435 o the content type is application/jwk+json. 1437 { 1438 "alg":"PBES2-HS256+A128KW", 1439 "p2s":"2WCTcJZ1Rvd_CJuJripQ1w", 1440 "p2c":4096, 1441 "enc":"A128CBC-HS256", 1442 "cty":"jwk+json" 1443 } 1445 Encoding this JWE Protected Header as BASE64URL(UTF8(JWE Protected 1446 Header)) gives this value (with line breaks for display purposes 1447 only): 1449 eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJwMnMiOiIyV0NUY0paMVJ2ZF9DSn 1450 VKcmlwUTF3IiwicDJjIjo0MDk2LCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiY3R5Ijoi 1451 andrK2pzb24ifQ 1453 C.3. Content Encryption Key (CEK) 1455 Generate a 256 bit random Content Encryption Key (CEK). In this 1456 example, the value (using JSON array notation) is: 1458 [111, 27, 25, 52, 66, 29, 20, 78, 92, 176, 56, 240, 65, 208, 82, 112, 1459 161, 131, 36, 55, 202, 236, 185, 172, 129, 23, 153, 194, 195, 48, 1460 253, 182] 1462 C.4. Key Derivation 1464 Derive a key from a shared passphrase using the PBKDF2 algorithm with 1465 HMAC SHA-256 and the specified Salt and Iteration Count values and a 1466 128 bit requested output key size to produce the PBKDF2 Derived Key. 1467 This example uses the following passphrase: 1469 Thus from my lips, by yours, my sin is purged. 1471 The octets representing the passphrase are: 1473 [84, 104, 117, 115, 32, 102, 114, 111, 109, 32, 109, 121, 32, 108, 1474 105, 112, 115, 44, 32, 98, 121, 32, 121, 111, 117, 114, 115, 44, 32, 1475 109, 121, 32, 115, 105, 110, 32, 105, 115, 32, 112, 117, 114, 103, 1476 101, 100, 46] 1478 The Salt value (UTF8(Alg) || 0x00 || Salt Input) is: 1480 [80, 66, 69, 83, 50, 45, 72, 83, 50, 53, 54, 43, 65, 49, 50, 56, 75, 1481 87, 0, 217, 96, 147, 112, 150, 117, 70, 247, 127, 8, 155, 137, 174, 1482 42, 80, 215]. 1484 The resulting PBKDF2 Derived Key value is: 1486 [110, 171, 169, 92, 129, 92, 109, 117, 233, 242, 116, 233, 170, 14, 1487 24, 75] 1489 C.5. Key Encryption 1491 Encrypt the CEK with the "A128KW" algorithm using the PBKDF2 Derived 1492 Key. The resulting JWE Encrypted Key value is: 1494 [78, 186, 151, 59, 11, 141, 81, 240, 213, 245, 83, 211, 53, 188, 134, 1495 188, 66, 125, 36, 200, 222, 124, 5, 103, 249, 52, 117, 184, 140, 81, 1496 246, 158, 161, 177, 20, 33, 245, 57, 59, 4] 1498 Encoding this JWE Encrypted Key as BASE64URL(JWE Encrypted Key) gives 1499 this value: 1501 TrqXOwuNUfDV9VPTNbyGvEJ9JMjefAVn-TR1uIxR9p6hsRQh9Tk7BA 1503 C.6. Initialization Vector 1505 Generate a random 128 bit JWE Initialization Vector. In this 1506 example, the value is: 1508 [97, 239, 99, 214, 171, 54, 216, 57, 145, 72, 7, 93, 34, 31, 149, 1509 156] 1511 Encoding this JWE Initialization Vector as BASE64URL(JWE 1512 Initialization Vector) gives this value: 1514 Ye9j1qs22DmRSAddIh-VnA 1516 C.7. Additional Authenticated Data 1518 Let the Additional Authenticated Data encryption parameter be 1519 ASCII(BASE64URL(UTF8(JWE Protected Header))). This value is: 1521 [123, 34, 97, 108, 103, 34, 58, 34, 80, 66, 69, 83, 50, 45, 72, 83, 1522 50, 53, 54, 43, 65, 49, 50, 56, 75, 87, 34, 44, 34, 112, 50, 115, 34, 1523 58, 34, 50, 87, 67, 84, 99, 74, 90, 49, 82, 118, 100, 95, 67, 74, 1524 117, 74, 114, 105, 112, 81, 49, 119, 34, 44, 34, 112, 50, 99, 34, 58, 1525 52, 48, 57, 54, 44, 34, 101, 110, 99, 34, 58, 34, 65, 49, 50, 56, 67, 1526 66, 67, 45, 72, 83, 50, 53, 54, 34, 44, 34, 99, 116, 121, 34, 58, 34, 1527 106, 119, 107, 43, 106, 115, 111, 110, 34, 125] 1529 C.8. Content Encryption 1531 Perform authenticated encryption on the Plaintext with the 1532 AES_128_CBC_HMAC_SHA_256 algorithm using the CEK as the encryption 1533 key, the JWE Initialization Vector, and the Additional Authenticated 1534 Data value above. The resulting Ciphertext is: 1536 [3, 8, 65, 242, 92, 107, 148, 168, 197, 159, 77, 139, 25, 97, 42, 1537 131, 110, 199, 225, 56, 61, 127, 38, 64, 108, 91, 247, 167, 150, 98, 1538 112, 122, 99, 235, 132, 50, 28, 46, 56, 170, 169, 89, 220, 145, 38, 1539 157, 148, 224, 66, 140, 8, 169, 146, 117, 222, 54, 242, 28, 31, 11, 1540 129, 227, 226, 169, 66, 117, 133, 254, 140, 216, 115, 203, 131, 60, 1541 60, 47, 233, 132, 121, 13, 35, 188, 53, 19, 172, 77, 59, 54, 211, 1542 158, 172, 25, 60, 111, 0, 80, 201, 158, 160, 210, 68, 55, 12, 67, 1543 136, 130, 87, 216, 197, 95, 62, 20, 155, 205, 5, 140, 27, 168, 221, 1544 65, 114, 78, 157, 254, 46, 206, 182, 52, 135, 87, 239, 3, 34, 186, 1545 126, 220, 151, 17, 33, 237, 57, 96, 172, 183, 58, 45, 248, 103, 241, 1546 142, 136, 7, 53, 16, 173, 181, 7, 93, 92, 252, 1, 53, 212, 242, 8, 1547 255, 11, 239, 181, 24, 148, 136, 111, 24, 161, 244, 23, 106, 69, 157, 1548 215, 243, 189, 240, 166, 169, 249, 72, 38, 201, 99, 223, 173, 229, 9, 1549 222, 82, 79, 157, 176, 248, 85, 239, 121, 163, 1, 31, 48, 98, 206, 1550 61, 249, 104, 216, 201, 227, 105, 48, 194, 193, 10, 36, 160, 159, 1551 241, 166, 84, 54, 188, 211, 243, 242, 40, 46, 45, 193, 193, 160, 169, 1552 101, 201, 1, 73, 47, 105, 142, 88, 28, 42, 132, 26, 61, 58, 63, 142, 1553 243, 77, 26, 179, 153, 166, 46, 203, 208, 49, 55, 229, 34, 178, 4, 1554 109, 180, 204, 204, 115, 1, 103, 193, 5, 91, 215, 214, 195, 1, 110, 1555 208, 53, 144, 36, 105, 12, 54, 25, 129, 101, 15, 183, 150, 250, 147, 1556 115, 227, 58, 250, 5, 128, 232, 63, 15, 14, 19, 141, 124, 253, 142, 1557 137, 189, 135, 26, 44, 240, 27, 88, 132, 105, 127, 6, 71, 37, 41, 1558 124, 187, 165, 140, 34, 200, 123, 80, 228, 24, 231, 176, 132, 171, 1559 138, 145, 152, 116, 224, 50, 141, 51, 147, 91, 186, 7, 246, 106, 217, 1560 148, 244, 227, 244, 45, 220, 121, 165, 224, 148, 181, 17, 181, 128, 1561 197, 101, 237, 11, 169, 229, 149, 199, 78, 56, 15, 14, 190, 91, 216, 1562 222, 247, 213, 74, 40, 8, 96, 20, 168, 119, 96, 26, 24, 52, 37, 82, 1563 127, 57, 176, 147, 118, 59, 7, 224, 33, 117, 72, 155, 29, 82, 26, 1564 215, 189, 140, 119, 28, 152, 118, 93, 222, 194, 192, 148, 115, 83, 1565 253, 216, 212, 108, 88, 83, 175, 172, 220, 97, 79, 110, 42, 223, 170, 1566 161, 34, 164, 144, 193, 76, 122, 92, 160, 41, 178, 175, 6, 35, 96, 1567 113, 96, 158, 90, 129, 101, 26, 45, 70, 180, 189, 230, 15, 5, 247, 1568 150, 209, 94, 171, 26, 13, 142, 212, 129, 1, 176, 5, 0, 112, 203, 1569 174, 185, 119, 76, 233, 189, 54, 172, 189, 245, 223, 253, 205, 12, 1570 88, 9, 126, 157, 225, 90, 40, 229, 191, 63, 30, 160, 224, 69, 3, 140, 1571 109, 70, 89, 37, 213, 245, 194, 210, 180, 188, 63, 210, 139, 221, 2, 1572 144, 200, 20, 177, 216, 29, 227, 242, 106, 12, 135, 142, 139, 144, 1573 82, 225, 162, 171, 176, 108, 99, 6, 43, 193, 161, 116, 234, 216, 1, 1574 242, 21, 124, 162, 98, 205, 124, 193, 38, 12, 242, 90, 101, 76, 204, 1575 184, 124, 58, 180, 16, 240, 26, 76, 195, 250, 212, 191, 185, 191, 97, 1576 198, 186, 73, 225, 75, 14, 90, 123, 121, 172, 101, 50, 160, 221, 141, 1577 253, 205, 126, 77, 9, 87, 198, 110, 104, 182, 141, 120, 51, 25, 232, 1578 3, 32, 80, 6, 156, 8, 18, 4, 135, 221, 142, 25, 135, 2, 129, 132, 1579 115, 227, 74, 141, 28, 119, 11, 141, 117, 134, 198, 62, 150, 254, 97, 1580 75, 197, 251, 99, 89, 204, 224, 226, 67, 83, 175, 89, 0, 81, 29, 38, 1581 207, 89, 140, 255, 197, 177, 164, 128, 62, 116, 224, 180, 109, 169, 1582 28, 2, 59, 176, 130, 252, 44, 178, 81, 24, 181, 176, 75, 44, 61, 91, 1583 12, 37, 21, 255, 83, 130, 197, 16, 231, 60, 217, 56, 131, 118, 168, 1584 202, 58, 52, 84, 124, 162, 185, 174, 162, 226, 242, 112, 68, 246, 1585 202, 16, 208, 52, 154, 58, 129, 80, 102, 33, 171, 6, 186, 177, 14, 1586 195, 88, 136, 6, 0, 155, 28, 100, 162, 207, 162, 222, 117, 248, 170, 1587 208, 114, 87, 31, 57, 176, 33, 57, 83, 253, 12, 168, 110, 194, 59, 1588 22, 86, 48, 227, 196, 22, 176, 218, 122, 149, 21, 249, 195, 178, 174, 1589 250, 20, 34, 120, 60, 139, 201, 99, 40, 18, 177, 17, 54, 54, 6, 3, 1590 222, 128, 160, 88, 11, 27, 0, 81, 192, 36, 41, 169, 146, 8, 47, 64, 1591 136, 28, 64, 209, 67, 135, 202, 20, 234, 182, 91, 204, 146, 195, 187, 1592 0, 72, 77, 11, 111, 152, 204, 252, 177, 212, 89, 33, 50, 132, 184, 1593 44, 183, 186, 19, 250, 69, 176, 201, 102, 140, 14, 143, 212, 212, 1594 160, 123, 208, 185, 27, 155, 68, 77, 133, 198, 2, 126, 155, 215, 22, 1595 91, 30, 217, 176, 172, 244, 156, 174, 143, 75, 90, 21, 102, 1, 160, 1596 59, 253, 188, 88, 57, 185, 197, 83, 24, 22, 180, 174, 47, 207, 52, 1, 1597 141, 146, 119, 233, 68, 228, 224, 228, 193, 248, 155, 202, 90, 7, 1598 213, 88, 33, 108, 107, 14, 86, 8, 120, 250, 58, 142, 35, 164, 238, 1599 221, 219, 35, 123, 88, 199, 192, 143, 104, 83, 17, 166, 243, 247, 11, 1600 166, 67, 68, 204, 132, 23, 110, 103, 228, 14, 55, 122, 88, 57, 180, 1601 178, 237, 52, 130, 214, 245, 102, 123, 67, 73, 175, 1, 127, 112, 148, 1602 94, 132, 164, 197, 153, 217, 87, 25, 89, 93, 63, 22, 66, 166, 90, 1603 251, 101, 10, 145, 66, 17, 124, 36, 255, 165, 226, 97, 16, 86, 112, 1604 154, 88, 105, 253, 56, 209, 229, 122, 103, 51, 24, 228, 190, 3, 236, 1605 48, 182, 121, 176, 140, 128, 117, 87, 251, 224, 37, 23, 248, 21, 218, 1606 85, 251, 136, 84, 147, 143, 144, 46, 155, 183, 251, 89, 86, 23, 26, 1607 237, 100, 167, 32, 130, 173, 237, 89, 55, 110, 70, 142, 127, 65, 230, 1608 208, 109, 69, 19, 253, 84, 130, 130, 193, 92, 58, 108, 150, 42, 136, 1609 249, 234, 86, 241, 182, 19, 117, 246, 26, 181, 92, 101, 155, 44, 103, 1610 235, 173, 30, 140, 90, 29, 183, 190, 77, 53, 206, 127, 5, 87, 8, 187, 1611 184, 92, 4, 157, 22, 18, 105, 251, 39, 88, 182, 181, 103, 148, 233, 1612 6, 63, 70, 188, 7, 101, 216, 127, 77, 31, 12, 233, 7, 147, 106, 30, 1613 150, 77, 145, 13, 205, 48, 56, 245, 220, 89, 252, 127, 51, 180, 36, 1614 31, 55, 18, 214, 230, 254, 217, 197, 65, 247, 27, 215, 117, 247, 108, 1615 157, 121, 11, 63, 150, 195, 83, 6, 134, 242, 41, 24, 105, 204, 5, 63, 1616 192, 14, 159, 113, 72, 140, 128, 51, 215, 80, 215, 39, 149, 94, 79, 1617 128, 34, 5, 129, 82, 83, 121, 187, 37, 146, 27, 32, 177, 167, 71, 9, 1618 195, 30, 199, 196, 205, 252, 207, 69, 8, 120, 27, 190, 51, 43, 75, 1619 249, 234, 167, 116, 206, 203, 199, 43, 108, 87, 48, 155, 140, 228, 1620 210, 85, 25, 161, 96, 67, 8, 205, 64, 39, 75, 88, 44, 238, 227, 16, 1621 0, 100, 93, 129, 18, 4, 149, 50, 68, 72, 99, 35, 111, 254, 27, 102, 1622 175, 108, 233, 87, 181, 44, 169, 18, 139, 79, 208, 14, 202, 192, 5, 1623 162, 222, 231, 149, 24, 211, 49, 120, 101, 39, 206, 87, 147, 204, 1624 200, 251, 104, 115, 5, 127, 117, 195, 79, 151, 18, 224, 52, 0, 245, 1625 4, 85, 255, 103, 217, 0, 116, 198, 80, 91, 167, 192, 154, 199, 197, 1626 149, 237, 51, 2, 131, 30, 226, 95, 105, 48, 68, 135, 208, 144, 120, 1627 176, 145, 157, 8, 171, 80, 94, 61, 92, 92, 220, 157, 13, 138, 51, 23, 1628 185, 124, 31, 77, 1, 87, 241, 43, 239, 55, 122, 86, 210, 48, 208, 1629 204, 112, 144, 80, 147, 106, 219, 47, 253, 31, 134, 176, 16, 135, 1630 219, 95, 17, 129, 83, 236, 125, 136, 112, 86, 228, 252, 71, 129, 218, 1631 174, 156, 236, 12, 27, 159, 11, 138, 252, 253, 207, 31, 115, 214, 1632 118, 239, 203, 16, 211, 205, 99, 22, 51, 163, 107, 162, 246, 199, 67, 1633 127, 34, 108, 197, 53, 117, 58, 199, 3, 190, 74, 70, 190, 65, 235, 1634 175, 97, 157, 215, 252, 189, 245, 100, 229, 248, 46, 90, 126, 237, 4, 1635 159, 128, 58, 7, 156, 236, 69, 191, 85, 240, 179, 224, 249, 152, 49, 1636 195, 223, 60, 78, 186, 157, 155, 217, 58, 105, 116, 164, 217, 111, 1637 215, 150, 218, 252, 84, 86, 248, 140, 240, 226, 61, 106, 208, 95, 60, 1638 163, 6, 0, 235, 253, 162, 96, 62, 234, 251, 249, 35, 21, 7, 211, 233, 1639 86, 50, 33, 203, 67, 248, 60, 190, 123, 48, 167, 226, 90, 191, 71, 1640 56, 183, 165, 17, 85, 76, 238, 140, 211, 168, 53, 223, 194, 4, 97, 1641 149, 156, 120, 137, 76, 33, 229, 243, 194, 208, 198, 202, 139, 28, 1642 114, 46, 224, 92, 254, 83, 100, 134, 158, 92, 70, 78, 61, 62, 138, 1643 24, 173, 216, 66, 198, 70, 254, 47, 59, 193, 53, 6, 139, 19, 153, 1644 253, 28, 199, 122, 160, 27, 67, 234, 209, 227, 139, 4, 50, 7, 178, 1645 183, 89, 252, 32, 128, 137, 55, 52, 29, 89, 12, 111, 42, 181, 51, 1646 170, 132, 132, 207, 170, 228, 254, 178, 213, 0, 136, 175, 8] 1648 The resulting Authentication Tag value is: 1650 [208, 113, 102, 132, 236, 236, 67, 223, 39, 53, 98, 99, 32, 121, 17, 1651 236] 1652 Encoding this JWE Ciphertext as BASE64URL(JWE Ciphertext) gives this 1653 value (with line breaks for display purposes only): 1655 AwhB8lxrlKjFn02LGWEqg27H4Tg9fyZAbFv3p5ZicHpj64QyHC44qqlZ3JEmnZTgQo 1656 wIqZJ13jbyHB8LgePiqUJ1hf6M2HPLgzw8L-mEeQ0jvDUTrE07NtOerBk8bwBQyZ6g 1657 0kQ3DEOIglfYxV8-FJvNBYwbqN1Bck6d_i7OtjSHV-8DIrp-3JcRIe05YKy3Oi34Z_ 1658 GOiAc1EK21B11c_AE11PII_wvvtRiUiG8YofQXakWd1_O98Kap-UgmyWPfreUJ3lJP 1659 nbD4Ve95owEfMGLOPflo2MnjaTDCwQokoJ_xplQ2vNPz8iguLcHBoKllyQFJL2mOWB 1660 wqhBo9Oj-O800as5mmLsvQMTflIrIEbbTMzHMBZ8EFW9fWwwFu0DWQJGkMNhmBZQ-3 1661 lvqTc-M6-gWA6D8PDhONfP2Oib2HGizwG1iEaX8GRyUpfLuljCLIe1DkGOewhKuKkZ 1662 h04DKNM5Nbugf2atmU9OP0Ldx5peCUtRG1gMVl7Qup5ZXHTjgPDr5b2N731UooCGAU 1663 qHdgGhg0JVJ_ObCTdjsH4CF1SJsdUhrXvYx3HJh2Xd7CwJRzU_3Y1GxYU6-s3GFPbi 1664 rfqqEipJDBTHpcoCmyrwYjYHFgnlqBZRotRrS95g8F95bRXqsaDY7UgQGwBQBwy665 1665 d0zpvTasvfXf_c0MWAl-neFaKOW_Px6g4EUDjG1GWSXV9cLStLw_0ovdApDIFLHYHe 1666 PyagyHjouQUuGiq7BsYwYrwaF06tgB8hV8omLNfMEmDPJaZUzMuHw6tBDwGkzD-tS_ 1667 ub9hxrpJ4UsOWnt5rGUyoN2N_c1-TQlXxm5oto14MxnoAyBQBpwIEgSH3Y4ZhwKBhH 1668 PjSo0cdwuNdYbGPpb-YUvF-2NZzODiQ1OvWQBRHSbPWYz_xbGkgD504LRtqRwCO7CC 1669 _CyyURi1sEssPVsMJRX_U4LFEOc82TiDdqjKOjRUfKK5rqLi8nBE9soQ0DSaOoFQZi 1670 GrBrqxDsNYiAYAmxxkos-i3nX4qtByVx85sCE5U_0MqG7COxZWMOPEFrDaepUV-cOy 1671 rvoUIng8i8ljKBKxETY2BgPegKBYCxsAUcAkKamSCC9AiBxA0UOHyhTqtlvMksO7AE 1672 hNC2-YzPyx1FkhMoS4LLe6E_pFsMlmjA6P1NSge9C5G5tETYXGAn6b1xZbHtmwrPSc 1673 ro9LWhVmAaA7_bxYObnFUxgWtK4vzzQBjZJ36UTk4OTB-JvKWgfVWCFsaw5WCHj6Oo 1674 4jpO7d2yN7WMfAj2hTEabz9wumQ0TMhBduZ-QON3pYObSy7TSC1vVme0NJrwF_cJRe 1675 hKTFmdlXGVldPxZCplr7ZQqRQhF8JP-l4mEQVnCaWGn9ONHlemczGOS-A-wwtnmwjI 1676 B1V_vgJRf4FdpV-4hUk4-QLpu3-1lWFxrtZKcggq3tWTduRo5_QebQbUUT_VSCgsFc 1677 OmyWKoj56lbxthN19hq1XGWbLGfrrR6MWh23vk01zn8FVwi7uFwEnRYSafsnWLa1Z5 1678 TpBj9GvAdl2H9NHwzpB5NqHpZNkQ3NMDj13Fn8fzO0JB83Etbm_tnFQfcb13X3bJ15 1679 Cz-Ww1MGhvIpGGnMBT_ADp9xSIyAM9dQ1yeVXk-AIgWBUlN5uyWSGyCxp0cJwx7HxM 1680 38z0UIeBu-MytL-eqndM7LxytsVzCbjOTSVRmhYEMIzUAnS1gs7uMQAGRdgRIElTJE 1681 SGMjb_4bZq9s6Ve1LKkSi0_QDsrABaLe55UY0zF4ZSfOV5PMyPtocwV_dcNPlxLgNA 1682 D1BFX_Z9kAdMZQW6fAmsfFle0zAoMe4l9pMESH0JB4sJGdCKtQXj1cXNydDYozF7l8 1683 H00BV_Er7zd6VtIw0MxwkFCTatsv_R-GsBCH218RgVPsfYhwVuT8R4HarpzsDBufC4 1684 r8_c8fc9Z278sQ081jFjOja6L2x0N_ImzFNXU6xwO-Ska-QeuvYZ3X_L31ZOX4Llp- 1685 7QSfgDoHnOxFv1Xws-D5mDHD3zxOup2b2TppdKTZb9eW2vxUVviM8OI9atBfPKMGAO 1686 v9omA-6vv5IxUH0-lWMiHLQ_g8vnswp-Jav0c4t6URVUzujNOoNd_CBGGVnHiJTCHl 1687 88LQxsqLHHIu4Fz-U2SGnlxGTj0-ihit2ELGRv4vO8E1BosTmf0cx3qgG0Pq0eOLBD 1688 IHsrdZ_CCAiTc0HVkMbyq1M6qEhM-q5P6y1QCIrwg 1690 Encoding this JWE Authentication Tag as BASE64URL(JWE Authentication 1691 Tag) gives this value: 1693 0HFmhOzsQ98nNWJjIHkR7A 1695 C.9. Complete Representation 1697 Assemble the final representation: The JWE Compact Serialization of 1698 this result, as defined in Section 7.1 of [JWE], is the string 1699 BASE64URL(UTF8(JWE Protected Header)) || '.' || BASE64URL(JWE 1700 Encrypted Key) || '.' || BASE64URL(JWE Initialization Vector) || '.' 1701 || BASE64URL(JWE Ciphertext) || '.' || BASE64URL(JWE Authentication 1702 Tag). 1704 The final result in this example (with line breaks for display 1705 purposes only) is: 1707 eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJwMnMiOiIyV0NUY0paMVJ2ZF9DSn 1708 VKcmlwUTF3IiwicDJjIjo0MDk2LCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiY3R5Ijoi 1709 andrK2pzb24ifQ. 1710 TrqXOwuNUfDV9VPTNbyGvEJ9JMjefAVn-TR1uIxR9p6hsRQh9Tk7BA. 1711 Ye9j1qs22DmRSAddIh-VnA. 1712 AwhB8lxrlKjFn02LGWEqg27H4Tg9fyZAbFv3p5ZicHpj64QyHC44qqlZ3JEmnZTgQo 1713 wIqZJ13jbyHB8LgePiqUJ1hf6M2HPLgzw8L-mEeQ0jvDUTrE07NtOerBk8bwBQyZ6g 1714 0kQ3DEOIglfYxV8-FJvNBYwbqN1Bck6d_i7OtjSHV-8DIrp-3JcRIe05YKy3Oi34Z_ 1715 GOiAc1EK21B11c_AE11PII_wvvtRiUiG8YofQXakWd1_O98Kap-UgmyWPfreUJ3lJP 1716 nbD4Ve95owEfMGLOPflo2MnjaTDCwQokoJ_xplQ2vNPz8iguLcHBoKllyQFJL2mOWB 1717 wqhBo9Oj-O800as5mmLsvQMTflIrIEbbTMzHMBZ8EFW9fWwwFu0DWQJGkMNhmBZQ-3 1718 lvqTc-M6-gWA6D8PDhONfP2Oib2HGizwG1iEaX8GRyUpfLuljCLIe1DkGOewhKuKkZ 1719 h04DKNM5Nbugf2atmU9OP0Ldx5peCUtRG1gMVl7Qup5ZXHTjgPDr5b2N731UooCGAU 1720 qHdgGhg0JVJ_ObCTdjsH4CF1SJsdUhrXvYx3HJh2Xd7CwJRzU_3Y1GxYU6-s3GFPbi 1721 rfqqEipJDBTHpcoCmyrwYjYHFgnlqBZRotRrS95g8F95bRXqsaDY7UgQGwBQBwy665 1722 d0zpvTasvfXf_c0MWAl-neFaKOW_Px6g4EUDjG1GWSXV9cLStLw_0ovdApDIFLHYHe 1723 PyagyHjouQUuGiq7BsYwYrwaF06tgB8hV8omLNfMEmDPJaZUzMuHw6tBDwGkzD-tS_ 1724 ub9hxrpJ4UsOWnt5rGUyoN2N_c1-TQlXxm5oto14MxnoAyBQBpwIEgSH3Y4ZhwKBhH 1725 PjSo0cdwuNdYbGPpb-YUvF-2NZzODiQ1OvWQBRHSbPWYz_xbGkgD504LRtqRwCO7CC 1726 _CyyURi1sEssPVsMJRX_U4LFEOc82TiDdqjKOjRUfKK5rqLi8nBE9soQ0DSaOoFQZi 1727 GrBrqxDsNYiAYAmxxkos-i3nX4qtByVx85sCE5U_0MqG7COxZWMOPEFrDaepUV-cOy 1728 rvoUIng8i8ljKBKxETY2BgPegKBYCxsAUcAkKamSCC9AiBxA0UOHyhTqtlvMksO7AE 1729 hNC2-YzPyx1FkhMoS4LLe6E_pFsMlmjA6P1NSge9C5G5tETYXGAn6b1xZbHtmwrPSc 1730 ro9LWhVmAaA7_bxYObnFUxgWtK4vzzQBjZJ36UTk4OTB-JvKWgfVWCFsaw5WCHj6Oo 1731 4jpO7d2yN7WMfAj2hTEabz9wumQ0TMhBduZ-QON3pYObSy7TSC1vVme0NJrwF_cJRe 1732 hKTFmdlXGVldPxZCplr7ZQqRQhF8JP-l4mEQVnCaWGn9ONHlemczGOS-A-wwtnmwjI 1733 B1V_vgJRf4FdpV-4hUk4-QLpu3-1lWFxrtZKcggq3tWTduRo5_QebQbUUT_VSCgsFc 1734 OmyWKoj56lbxthN19hq1XGWbLGfrrR6MWh23vk01zn8FVwi7uFwEnRYSafsnWLa1Z5 1735 TpBj9GvAdl2H9NHwzpB5NqHpZNkQ3NMDj13Fn8fzO0JB83Etbm_tnFQfcb13X3bJ15 1736 Cz-Ww1MGhvIpGGnMBT_ADp9xSIyAM9dQ1yeVXk-AIgWBUlN5uyWSGyCxp0cJwx7HxM 1737 38z0UIeBu-MytL-eqndM7LxytsVzCbjOTSVRmhYEMIzUAnS1gs7uMQAGRdgRIElTJE 1738 SGMjb_4bZq9s6Ve1LKkSi0_QDsrABaLe55UY0zF4ZSfOV5PMyPtocwV_dcNPlxLgNA 1739 D1BFX_Z9kAdMZQW6fAmsfFle0zAoMe4l9pMESH0JB4sJGdCKtQXj1cXNydDYozF7l8 1740 H00BV_Er7zd6VtIw0MxwkFCTatsv_R-GsBCH218RgVPsfYhwVuT8R4HarpzsDBufC4 1741 r8_c8fc9Z278sQ081jFjOja6L2x0N_ImzFNXU6xwO-Ska-QeuvYZ3X_L31ZOX4Llp- 1742 7QSfgDoHnOxFv1Xws-D5mDHD3zxOup2b2TppdKTZb9eW2vxUVviM8OI9atBfPKMGAO 1743 v9omA-6vv5IxUH0-lWMiHLQ_g8vnswp-Jav0c4t6URVUzujNOoNd_CBGGVnHiJTCHl 1744 88LQxsqLHHIu4Fz-U2SGnlxGTj0-ihit2ELGRv4vO8E1BosTmf0cx3qgG0Pq0eOLBD 1745 IHsrdZ_CCAiTc0HVkMbyq1M6qEhM-q5P6y1QCIrwg. 1746 0HFmhOzsQ98nNWJjIHkR7A 1748 Appendix D. Acknowledgements 1750 A JSON representation for RSA public keys was previously introduced 1751 by John Panzer, Ben Laurie, and Dirk Balfanz in Magic Signatures 1752 [MagicSignatures]. 1754 Thanks to Matt Miller for creating the encrypted key example and to 1755 Edmund Jay and Brian Campbell for validating the example. 1757 This specification is the work of the JOSE Working Group, which 1758 includes dozens of active and dedicated participants. In particular, 1759 the following individuals contributed ideas, feedback, and wording 1760 that influenced this specification: 1762 Dirk Balfanz, Richard Barnes, John Bradley, Brian Campbell, Breno de 1763 Medeiros, Stephen Farrell, Joe Hildebrand, Edmund Jay, Stephen Kent, 1764 Ben Laurie, James Manger, Matt Miller, Kathleen Moriarty, Chuck 1765 Mortimore, Tony Nadalin, Axel Nennker, John Panzer, Eric Rescorla, 1766 Pete Resnick, Nat Sakimura, Jim Schaad, Ryan Sleevi, Paul Tarjan, 1767 Hannes Tschofenig, and Sean Turner. 1769 Jim Schaad and Karen O'Donoghue chaired the JOSE working group and 1770 Sean Turner, Stephen Farrell, and Kathleen Moriarty served as 1771 Security area directors during the creation of this specification. 1773 Appendix E. Document History 1775 [[ to be removed by the RFC Editor before publication as an RFC ]] 1777 -41 1779 o Added Security Considerations text about binding attributes to 1780 keys. 1782 o Incorporated additional terms defined in the JWE spec by 1783 reference. 1785 -40 1787 o Clarified the definitions of UTF8(STRING) and ASCII(STRING). 1789 o Stated that line breaks are for display purposes only in places 1790 where this disclaimer was needed and missing. 1792 o Updated the WebCrypto reference to refer to the W3C Candidate 1793 Recommendation. 1795 -39 1797 o No changes were made, other than to the version number and date. 1799 -38 1801 o Replaced uses of the phrase "JWK object" with "JWK". 1803 -37 1805 o Updated the TLS requirements language to only require 1806 implementations to support TLS when they support features using 1807 TLS. 1809 o Restricted algorithm names to using only ASCII characters. 1811 o Updated the example IANA registration request subject line. 1813 -36 1815 o Stated that if both "use" and "key_ops" are used, the information 1816 they convey MUST be consistent. 1818 o Clarified where white space and line breaks may occur in JSON 1819 objects by referencing Section 2 of RFC 7159. 1821 o Specified that registration reviews occur on the 1822 jose-reg-review@ietf.org mailing list. 1824 -35 1826 o Used real values for examples in the IANA Registration Templates. 1828 -34 1830 o Addressed IESG review comments by Pete Resnick, Stephen Farrell, 1831 and Richard Barnes. 1833 o Referenced RFC 4945 for PEM certificate delimiter syntax. 1835 -33 1837 o Addressed secdir review comments by Stephen Kent for which 1838 resolutions had mistakenly been omitted in the previous draft. 1840 o Acknowledged additional contributors. 1842 -32 1843 o Addressed Gen-ART review comments by Russ Housley. 1845 o Addressed secdir review comments by Stephen Kent. 1847 -31 1849 o No changes were made, other than to the version number and date. 1851 -30 1853 o Added references and cleaned up the reference syntax in a few 1854 places. 1856 o Applied minor wording changes to the Security Considerations 1857 section. 1859 -29 1861 o Replaced the terms JWS Header, JWE Header, and JWT Header with a 1862 single JOSE Header term defined in the JWS specification. This 1863 also enabled a single Header Parameter definition to be used and 1864 reduced other areas of duplication between specifications. 1866 -28 1868 o Revised the introduction to the Security Considerations section. 1870 o Refined the text about when applications using encrypted JWKs and 1871 JWK Sets would not need to use the "cty" header parameter. 1873 -27 1875 o Added an example JWK early in the draft. 1877 o Described additional security considerations. 1879 o Added the "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) JWK 1880 member. 1882 o Addressed a few editorial issues. 1884 -26 1886 o Referenced Section 6 of RFC 6125 for TLS server certificate 1887 identity validation. 1889 o Deleted misleading non-normative phrase from the "use" 1890 description. 1892 o Noted that octet sequences are depicted using JSON array notation. 1894 o Updated references, including to W3C specifications. 1896 -25 1898 o Updated WebCrypto reference to refer to W3C Last Call draft. 1900 -24 1902 o Corrected the authentication tag value in the encrypted key 1903 example. 1905 o Updated the JSON reference to RFC 7159. 1907 -23 1909 o No changes were made, other than to the version number and date. 1911 -22 1913 o Corrected RFC 2119 terminology usage. 1915 o Replaced references to draft-ietf-json-rfc4627bis with RFC 7158. 1917 -21 1919 o Replaced the "key_ops" values "wrap" and "unwrap" with "wrapKey" 1920 and "unwrapKey" to match the "KeyUsage" values defined in the 1921 current Web Cryptography API editor's draft. 1923 o Compute the PBES2 salt parameter as (UTF8(Alg) || 0x00 || Salt 1924 Input), where the "p2s" Header Parameter encodes the Salt Input 1925 value and Alg is the "alg" Header Parameter value. 1927 o Changed some references from being normative to informative, 1928 addressing issue #90. 1930 -20 1932 o Renamed "use_details" to "key_ops" (key operations). 1934 o Clarified that "use" is meant for public key use cases, "key_ops" 1935 is meant for use cases in which public, private, or symmetric keys 1936 may be present, and that "use" and "key_ops" should not be used 1937 together. 1939 o Replaced references to RFC 4627 with draft-ietf-json-rfc4627bis, 1940 addressing issue #90. 1942 -19 1944 o Added optional "use_details" (key use details) JWK member. 1946 o Reordered the key selection parameters. 1948 -18 1950 o Changes to address editorial and minor issues #68, #69, #73, #74, 1951 #76, #77, #78, #79, #82, #85, #89, and #135. 1953 o Added and used Description registry fields. 1955 -17 1957 o Refined the "typ" and "cty" definitions to always be MIME Media 1958 Types, with the omission of "application/" prefixes recommended 1959 for brevity, addressing issue #50. 1961 o Added an example encrypting an RSA private key with 1962 "PBES2-HS256+A128KW" and "A128CBC-HS256". Thanks to Matt Miller 1963 for producing this! 1965 o Processing rules occurring in both JWS and JWK are now referenced 1966 in JWS by JWK, rather than duplicated, addressing issue #57. 1968 o Terms used in multiple documents are now defined in one place and 1969 incorporated by reference. Some lightly used or obvious terms 1970 were also removed. This addresses issue #58. 1972 -16 1974 o Changes to address editorial and minor issues #41, #42, #43, #47, 1975 #51, #67, #71, #76, #80, #83, #84, #85, #86, #87, and #88. 1977 -15 1979 o Changes to address editorial issues #48, #64, #65, #66, and #91. 1981 -14 1983 o Relaxed language introducing key parameters since some parameters 1984 are applicable to multiple, but not all, key types. 1986 -13 1987 o Applied spelling and grammar corrections. 1989 -12 1991 o Stated that recipients MUST either reject JWKs and JWK Sets with 1992 duplicate member names or use a JSON parser that returns only the 1993 lexically last duplicate member name. 1995 -11 1997 o Stated that when "kid" values are used within a JWK Set, different 1998 keys within the JWK Set SHOULD use distinct "kid" values. 2000 o Added optional "x5u" (X.509 URL), "x5t" (X.509 Certificate 2001 Thumbprint), and "x5c" (X.509 Certificate Chain) JWK parameters. 2003 o Added section on Encrypted JWK and Encrypted JWK Set Formats. 2005 o Added a Parameter Information Class value to the JSON Web Key 2006 Parameters registry, which registers whether the parameter conveys 2007 public or private information. 2009 o Registered "application/jwk+json" and "application/jwk-set+json" 2010 MIME types and "JWK" and "JWK-SET" typ header parameter values, 2011 addressing issue #21. 2013 -10 2015 o No changes were made, other than to the version number and date. 2017 -09 2019 o Expanded the scope of the JWK specification to include private and 2020 symmetric key representations, as specified by 2021 draft-jones-jose-json-private-and-symmetric-key-00. 2023 o Defined that members that are not understood must be ignored. 2025 -08 2027 o Changed the name of the JWK key type parameter from "alg" to "kty" 2028 to enable use of "alg" to indicate the particular algorithm that 2029 the key is intended to be used with. 2031 o Clarified statements of the form "This member is OPTIONAL" to "Use 2032 of this member is OPTIONAL". 2034 o Referenced String Comparison Rules in JWS. 2036 o Added seriesInfo information to Internet Draft references. 2038 -07 2040 o Changed the name of the JWK RSA modulus parameter from "mod" to 2041 "n" and the name of the JWK RSA exponent parameter from "xpo" to 2042 "e", so that the identifiers are the same as those used in RFC 2043 3447. 2045 -06 2047 o Changed the name of the JWK RSA exponent parameter from "exp" to 2048 "xpo" so as to allow the potential use of the name "exp" for a 2049 future extension that might define an expiration parameter for 2050 keys. (The "exp" name is already used for this purpose in the JWT 2051 specification.) 2053 o Clarify that the "alg" (algorithm family) member is REQUIRED. 2055 o Correct an instance of "JWK" that should have been "JWK Set". 2057 o Applied changes made by the RFC Editor to RFC 6749's registry 2058 language to this specification. 2060 -05 2062 o Indented artwork elements to better distinguish them from the body 2063 text. 2065 -04 2067 o Refer to the registries as the primary sources of defined values 2068 and then secondarily reference the sections defining the initial 2069 contents of the registries. 2071 o Normatively reference XML DSIG 2.0 for its security 2072 considerations. 2074 o Added this language to Registration Templates: "This name is case 2075 sensitive. Names that match other registered names in a case 2076 insensitive manner SHOULD NOT be accepted." 2078 o Described additional open issues. 2080 o Applied editorial suggestions. 2082 -03 2084 o Clarified that "kid" values need not be unique within a JWK Set. 2086 o Moved JSON Web Key Parameters registry to the JWK specification. 2088 o Added "Collision Resistant Namespace" to the terminology section. 2090 o Changed registration requirements from RFC Required to 2091 Specification Required with Expert Review. 2093 o Added Registration Template sections for defined registries. 2095 o Added Registry Contents sections to populate registry values. 2097 o Numerous editorial improvements. 2099 -02 2101 o Simplified JWK terminology to get replace the "JWK Key Object" and 2102 "JWK Container Object" terms with simply "JSON Web Key (JWK)" and 2103 "JSON Web Key Set (JWK Set)" and to eliminate potential confusion 2104 between single keys and sets of keys. As part of this change, the 2105 top-level member name for a set of keys was changed from "jwk" to 2106 "keys". 2108 o Clarified that values with duplicate member names MUST be 2109 rejected. 2111 o Established JSON Web Key Set Parameters registry. 2113 o Explicitly listed non-goals in the introduction. 2115 o Moved algorithm-specific definitions from JWK to JWA. 2117 o Reformatted to give each member definition its own section 2118 heading. 2120 -01 2122 o Corrected the Magic Signatures reference. 2124 -00 2126 o Created the initial IETF draft based upon 2127 draft-jones-json-web-key-03 with no normative changes. 2129 Author's Address 2131 Michael B. Jones 2132 Microsoft 2134 Email: mbj@microsoft.com 2135 URI: http://self-issued.info/